AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

bishopfox-logo-grey
Get Started
Abstract cybersecurity illustration featuring servers, network nodes, and stylized attack indicators representing penetration testing and threat activity.
Offensive Open-Source Tool

Burp Variables

Burp Suite Variables offensive tool logo.

Storage and Reuse Functionality

Burp Variables is a Burp Suite add-on that lets users define and reuse dynamic values in HTTP requests by automatically swapping placeholders with stored data when sending.

Get it on GitHub

About Burp Variables

Add variable storage and reuse functionality to outgoing HTTP requests

Burp Variables is an extension for PortSwigger’s Burp Suite (Burp) tool designed to add variable storage and reuse functionality to outgoing HTTP requests. This productivity-focused extension allows users to insert placeholders into their requests, which are automatically replaced with defined values when the requests are sent. Burp Variables fills a critical feature gap in Burp by introducing variable handling capabilities similar to those available in other web API testing tools like Postman and Insomnia.

  • Burp Variables proves especially valuable for penetration testers and security researchers who encounter mutable session data, ephemeral tokens, or user-specific identifiers during security assessments. 
  • By allowing users to define and reuse variables for these values, this extension streamlines the process of updating requests as these values change, eliminating time-consuming manual edits. 
  • In addition to saving time, this improved workflow also minimizes the risk of mishandling identifiers, which can result in false positives.

Why Burp Variables?

While several extensions attempt to solve the variable handling challenge, most fall short in practical implementation. Having tested various alternatives during real assessments, Burp Variables stands out as the most effective solution because it is purpose-built for this task.

Here are a few reasons why Burp Variables offers superior functionality compared to alternative extensions:

  • Burp Variables stores variable definitions at the project level, allowing different Burp projects to have unique sets of variables.
  • The Burp Variables user interface streamlines the process of adding and editing variables, making it significantly faster and more user-friendly than other solutions. This is essential, as variable handling capabilities are introduced specifically to enhance productivity.
  • When configured to modify proxy traffic, Burp Variables restricts variable replacement to requests that fall within the project's scope, which mitigates the risk of sensitive variable values being leaked to out-of-scope or malicious destinations.

Ultimately, Burp power users stand to benefit from gaining variable handling capabilities; a feature notably absent from the core platform.

Related Resources

BurpSuite Research

Blog Post

Power Up Your Pen Tests: Creating Burp Suite Extensions with the New Montoya API

Dark black background with colored lines in tones of red, grey, and teal and white with lines of code superimposed.

Learn how to power up your pen tests by using the new Montoya API to create Burp Suite extensions from scratch.

Learn More

Blog Post

Burp Variables: A Burp Suite Extension

Resource card image 0de0e3dfeba3 blog defcon 30 recap dark

Bishop Fox has built a new extension that fills a major gap in Burp’s workflow: variable handling.  

Learn More

Workshop

Powering Up Burp Suite: Building Custom Extensions for Advanced Web Application Testing

Dark black background with thin red and grey colored lines.

Learn how to power up web application security testing with tips on creating customized extensions featuring BurpCage.

Watch Video

Blog Post

Burp, Collaborate, and Listen: A Pentester Reviews the Latest Burp Suite Addition

Resource card image 1f333a87dfb5 blog heartbleeds wake password primer dark

Bishop Fox pentesters analyze the implications and benefits of Burp Suite's newest penetration testing feature, Collaborator.

Learn More

Join the Bishop Fox GitHub Community

Burp Variable is open source and built for the offensive security community. Star the repo, file issues, contribute templates, or fork it for your own research.

Get it on GitHub
Burp Suite Variables offensive tool logo.

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.