Mocking HTTP Services with Burp
11-08, 18:10–18:20 (US/Pacific), Blue Day

Burp Suite is the standard tool for manipulating HTTP traffic, but it focuses on manually manipulating requests and responses. This talk presents a Burp extensions that bridges the gap and allows you to automatically manipulate requests using external software, all within Burp.


Burp Suite is the standard tool for manipulating HTTP traffic, but it focuses on manually manipulating requests and responses. But what if you need to manipulate those requests programmatically? Maybe the application you're testing times out quickly, or you don't want to worry about correctly copy-pasting binary data into the request stream, or you just don't want to perform the same modification over and over again. Burp has some extremely limited automatic request rewriting tools, but they aren't useful in any case more complicated than a regex find/replace. This talk will demonstrate the use of the Burp HTTP Mock extension, which allows you to create rules that redirect requests either to an internal static webserver, a different URL, or to a local program or script for advanced manipulation.

See also: Slides (4.7 MB)

Shea Polansky is a security analyst for Independent Security Evaluators, where he performs network and application security assessments. He uses his background in systems administration and software development to automate all the things, and teaches himself electrical engineering as a hobby.