How are you using Reshaper?

[ddwightx]

I'm interested in hearing about how people are using Reshaper.

What scenarios/use cases is it helpful for?
What Whens and Thens do you use?
How many Rules do you have?

[migueldilaj]

Hi @ddwightx!

I've a scenario on which a REST API needs testing. It uses both Bearer tokens (renewing those with macros and extensions is well-known and easy), but also a digital signature of the payload created on a separate server.
So the flow is more or less:

1. authenticate - get Bearer token which can be used for X minutes
2. sign the payload
3. send request

Once the need to run Intruder arises, step 2 required automation, so I did that with Reshaper. Along the way I also included renewal of the Bearer token upon a 401 response.

Nice extension! Still learning its full potential.

[darkr4y]

Hi @ddwightx
I have some usage scenarios, and I want to write rules more easier and faster without using GUI, so I have this issue

1. Detecting webvuln with other tools - whens: matchText in Response to do the web fingerprint things,thens: runProcess with nuclei to send payload
2. Detecting webvuln only using Reshaper - whens: matchText in Response to do the web fingerprint things, thens: sendRequest serval time to detect vulns
3. Tamper the requests to detect webvuln - whens: contentType in Requests is JSON,thens: tamper the request add fastjson payload to detect vulns

etc ...

[AkikoOrenji]

1. Running a process to generate an alert sound from the OS when there is a server response telling me a token has expired so i can stop my Burp scans and generated a new token before continuing (in this instance i can't automate renewal of the token as a 2fa manual logon required).
2. Generating a random string by running a windows process to call openssl binary and the injecting this into each request to ensure i have a unique object created in each request when automated fuzzing (to get good code coverage).
3. same as as the others have said. Generating another GET request to check if a payload is found at another location after posting a payload.

[ddwightx]

Here's how I use Reshaper (for Burp) with a little background about the creation of Reshaper.

I use Burp Suite primarily as a tool to help with web development. Previously I used Fiddler (Fiddler Classic) by Telerikfor the same purpose, however, I needed a solution that had better cross-platform support. At the time, I needed the ability to inspect both browser to service and service to service traffic, the ability to redirect traffic on demand, delay responses, change values in certain HTTP requests and responses, and mock endpoints. The same things I use Reshaper for today. Fiddler could host a forward proxy and multiple reverse proxies and had a feature called AutoResponder which could be used to setup conditions for some of these scenarios, however, others required writing FiddlerScript (JScript .NET) code which was powerful but not the most user friendly.

When I started using Burp Suite, I used a combination of the Proxy tool's Match and Replace feature, a slightly modified version of HTTP Mock (added more redirection features), the Target Redirector, and the Add Custom Header extensions to meet the same needs. Unfortunately, these tools were cumbersome to use due to the their various limits and did not meet all of my needs. The Match and Replace feature for example lacked the ability to target different transformations at different, specific endpoints.

Since I was going to be using Burp Suite regularly now, I thought it'd be best to create a tool which could accomplish all of the things I needed with a friendly interface which doesn't require me to write scripts (like FiddlerScript) or single task extensions to accomplish more than basic task.

Long before I started using Burp Suite (during my Fiddler days), I created a standalone tool called Reshaper (not Reshaper for Burp), which is a Windows desktop app to primarily help debug text-based socket traffic using rules just like the rule system Reshaper for Burp is based on. It also had dedicated HTTP support (to solve my gripes with Fiddler) though it was buggy and incomplete. Now that I moved over to Burp Suite, rather than trying to fully build out HTTP support in the standalone Reshaper, I decided to build Reshaper for Burp to provide the same functionality and more and to meet all of my web development debugging needs.

In my most used installation, I have 50 Rules, 22 always enabled.
When constraints I use in order of my most popular usage: Event Direction, Matches Text, Has Entity
Then actions I use in order of my most popular usage: Set Value, Run Rules, Set Variable, Highlight, Delete Value, Send Request, Set Event Direction, Delay, Run Script, Save File, Drop, Run Process

[ganesh2183]

@ddwightx I'm new to Reshaper burp extension, I have a scenario where i want to create rules:

1. when i execute the request (authenticated page after login) in Repeater / Scanner, if the response body has "operation":"login" (which means session is expired or no valid session is available)
2. then i want to add specific header value 'X-Stepper-Execute-Before: ibx' in request.

Need your help to create rule for this scenario.

[ganesh2183]

Hi @ganesh2183 To accomplish this, first go to the Settings tab and ensure Repeater and Scanner are selected. Next, build a Rule with the following:

When
	Event Direction		// When a response is received
		Event Direction: Response
	From Tool			// And it is from the Repeater
		Tool: Repeater
	From Tool
		Tool: Scanner		// Or it is from the Scanner
		Use OR Condition: Checked
	Matches Text			// And the response body has "operation":"login"
		Source Message Value: Response Body
		Match Type: Contains
		Match Text: "operation":"login"
Then
	Set Value			// Then set the new header (in Reshaper's in-memory version of the original request)
		Source Text: ibx
		Destination Message Value: Request Header
		Destination Identifier: X-Stepper-Execute-Before
	Send Request			// Send the modified request and store the response in the newResponse Event variable
		Wait for Completion: Checked
		Capture Output: Checked
		Capture Variable Source: Event
		Capture Variable Name: newResponse
	Set Value			// Overwrite the response with the value of the newResponse Event variable
		Source Text: {{e:newResponse}}
		Destination Message Value: Response Message

Thanks for reply and help to create rule.
I need another favor once request header added, i want to update cookie value in request.
For example: php-sessionid=avbcjfgr688edghbnns77

How to do this.

[ddwightx]

You just need another Set Value right next to the one that set the header.

Set Value	
		Source Text: avbcjfgr688edghbnns77
		Destination Message Value: Request Cookie
		Destination Identifier: php-sessionid

[ganesh2183]

@ddwightx Thanks for your help. I added same rule, but I see expected 200ok response in 'Logger' history not in 'Repeater' response window. Why?

[ganesh2183]

@ddwightx Need your help on this.

[ddwightx]

Hi @ganesh2183 Note sure how much your setup has changed since the last time. I suggest using the Enable Diagnostics option on the Settings page, trigger your request, and see if you can determine from there what's happening by observing the Logs tab. If you can't alone, remove/rename any personally identifiable identifiers or details, then attach a copy of the output here.

[sorvict]

@ddwightx I have some ideas how to use Reshaper for some automation of daily routine for recruiters/sourcer. Here is just one example https://www.loom.com/share/18e9b561b195413a9f77e9ff9b8a0084 . Would you be open to discuss?

[ddwightx]

Sure, @sorvict. Looks like you're using Reshaper to prompt you with some information based on something that your bookmarks trigger. Quite a creative, unexpected use case. Is there something Burp/Reshaper has access to that could not be handle solely by your bookmarklets (which can itself scrape the page, perform fetch requests, and open an alert box)?