Regex › Burp Suite Regex Workflows
Regex in Burp Suite workflows
Burp Suite is regex-driven: scope rules, match-and-replace, proxy and logger filters, and response searches all take patterns. Knowing how to write them turns repetitive manual steps into automatic ones. This lesson covers the practical Burp regex you’ll use constantly.
You'll learn to
- Define scope and filters with regex
- Automate request edits with match-and-replace
- Search responses for interesting patterns
Match-and-replace: edit every request automatically
Burp's match-and-replace runs a regex on every request/response.
Examples:
Match (request header): ^User-Agent:.*$
Replace: User-Agent: tester
Match: ^Authorization:.*$ (strip auth to test access control)
Replace: (empty)
Inject a header into every request:
Match: ^(Host:.*)$
Replace: $1\r\nX-Forwarded-For: 127.0.0.1
Match-and-replace applies a pattern to all traffic, so you can spoof a header, strip authentication, or inject a value across an entire test session without editing each request. The $1 in the replacement refers back to the first captured group.
Scope and logger filters
Scope (advanced, regex): ^https?://([a-z0-9-]+\.)?target\.com$
Logger filter: (?i)(password|token|key) -> find secrets in traffic
Filter out noise: \.(png|jpg|css|woff2?)$ -> hide static assets
Checkpoint
How does a Burp match-and-replace rule that targets the Authorization header help test access control?
By setting the match to the Authorization header line and the replacement to empty, Burp strips authentication from every request automatically. You can then browse the application and see which endpoints still return data without credentials — anything that should require authentication but responds anyway is a broken-access-control finding. It turns a per-request manual edit into an automatic, session-wide test.
Try it yourself
Write a Burp scope regex that matches target.com and its subdomains, correctly escaping the literal dots. Then describe a match-and-replace rule that would inject an X-Forwarded-For header into every request, using a captured group to preserve the existing Host line.
Key takeaways
- Match-and-replace applies a pattern to all traffic — spoof, strip, or inject.
- $1 in a replacement refers to the first captured group.
- Logger filters surface secrets; asset filters hide static-file noise.
- Escape literal dots in scope patterns or you’ll match too much.
Quick quiz
Next, bundle analysis — extracting everything useful from minified and obfuscated JavaScript.