Burp Replicator- Automate Reproduction of Complex Vulnerabilities

Burp Replicator is another extension plugin  that you can add to Burpsuite proxy tool. Replicator helps developers to reproduce issues discovered by pen testers. The pen tester produces a Replicator file which contains the findings in the report. Each finding includes a request, associated session rules or macros, and logic to detect presence of the vulnerability. The tester sends the Replicator file to the client alongside the report. Developers can then open the file within Burp and replicate the issues.

When vulnerabilities have been fixed, Replicator provides confirmation that the attack vector used in the pen test is now blocked. A retest is still recommended, in case alternative attack vectors remain exploitable.

Developers workflow looks as following:

  1. Load the Replicator file.
  2. If you want to test a different application instance (perhaps a development instance) edit the Hosts section to point to the instance.
  3. Click Test all. All the vulnerabilities should get status Vulnerable. If any do not, you need to investigate why. You can use the Start Trace button to generate a trace file that may help the pen tester diagnose the issue.
  4. Save the file. This is important for confirming fixes later.
  5. Identify an issue to work on. Consult the pen test report for a full description.
  6. When the application has been updated, click Test to see if it’s still vulnerable.
Burp Replicator screenshot for the plugin

Burp Replicator screenshot for the plugin

Issues can have the following status:

  • Vulnerable – The application is still vulnerable.
  • Resolved (tentative) – The vulnerability appears to be resolved. Replicator cannot confirm this with certainty; a retest is required for that.
  • Unable to replicate – It wasn’t possible to determine if the application is vulnerable. This may be because credentials are invalid. Some fixes (e.g. removing the whole page) can cause this.

You can read more about this plugin in BurpApp https://portswigger.net/bappstore/56cf924977874104ac35e52962a9a553

Notify of
Inline Feedbacks
View all comments