Filter expressions are a Lisp-like DSL for selecting requests/responses that should be forwarded to a script. This document should contain most of the defined filter functions, but you can also search Filter.kt for all potential functions.
Filter expressions are pulled out of scripts via the REQ_FILTER and RES_FILTER strings exported from that script. See the example scripts.
Strings can be provided as raw strings (r"...") or normal strings ("..."). Raw strings are not escaped at all and are generally useful for PATTERN args.
- and VARARG_STMT
- or VARARG_STMT
- not STMT
- in-scope
- host-matches PATTERN
- method-eq VARARG_STRING
- path-contains PATTERN
- path-matches PATTERN
- file-ext-eq VARARG_STRING
- has-header VARARG_STRING
- body-contains PATTERN
- body-matches PATTERN
- has-cookie VARARG_STRING
- has-json-key VARARG_STRING
- has-query-param VARARG_STRING
- has-form-param VARARG_STRING
- query-param-matches STRING PATTERN
- status-code-eq VARARG_INT
- status-code-in INT INT
- has-attachment VARARG_STRING
- listener-port-eq VARARG_INT
- tool-source-eq VARARG_STRING
- from-proxy
Logical and of all passed statements
(and
(path-contains "/api")
(header-matches "Authorization" r"^Bearer\s+.*$"
...
(in-scope)
)
Logical or of all passed statements
(or
(in-scope)
(host-matches r".*\.google\.com")
...
(has-header "X-Secret-Key")
)
Negates the given statement
(not (has-header "Authorization"))
Checks if the request is in scope
(in-scope)
Check if the host portion of the URL matches the provided pattern.
Note - This does not inspect the Host header directly. Although Burp may construct a URL for a request using the Host header and the URL portion of the request, the host portion of the constructed URL may differ from what the client sends in the Host header. In particular: If a transparent "Invisible" proxy is used, the host in the URL will correspond with a hostname that is specified in the Redirect settings.
Note - Following form the above, when used as a response filter (RES_FILTER), the URL corresponding to the initiating request is used.
(host-matches r".*\.google\.com$")
Checks if the request method is one of the provided strings. Note this is case-sensitive.
(method-eq "PUT" "POST")
Checks if the request path contains the given pattern
(path-contains "foo.*bar")
Checks if the request path matches the given pattern
(path-matches r"^foo.*bar$")
Checks if the requested file extension is any of the given strings.
(file-ext-eq ".php" ".js" ... ".html")
Checks if the request/response has the given header. Header names are case-sensitive.
(has-header "Authorization")
Checks if the request/response has a header that matches the provided pattern. Header names are case-sensitive.
(header-matches "Content-Type" r".*application/json.*")
Checks if the body contains the given pattern
(body-contains "\"isAdmin\":\\s+false")
Checks if the entire body matches the provided pattern
(body-matches "^[0-9]+$")
Searched for any of the provided cookie names in the req/res body. Returns true if any of the provided cookies exist.
(has-json-key "user.isSuperAdmin")
Searched for any of the provided JSON keys in the req/res body. This function supported dotted syntax for JSON keys to search for nested keys. Returns true if any of the provided keys match.
(has-json-key "user.isSuperAdmin")
Checks that the given query parameter exists
(has-query-param "id")
Checks that the request has the given form parameter
(has-form-param "id" "identifier")
Checks that the given query parameter matches the given pattern. If the parameter doesn't exist this evaluates to false.
(query-param-matches "id" r"[0-9]+")
Only applicable as a Response filter, checks that the status code is one of the provided codes
(status-code-eq 200 201)
Checks that the status code is in the given range (inclusive)
(status-code-in 200 299)
Attachments are custom pieces of data attached to a request/response by other scripts. This checks to see if the given attachment key exists.
(has-attachment "such" "attachments")
Checks that the request was to a listener with one of the provided ports
(listener-port-eq 9090)
Returns true if the tool source is one of the provided sources. Valid sources:
- "Suite"
- "Target"
- "Proxy"
- "Scanner"
- "Intruder"
- "Repeater"
- "Logger"
- "Sequencer"
- "Decoder"
- "Comparer"
- "Extensions"
- "Recorded login replayer"
- "Organizer"
The match is case-insensitive
(tool-source-eq "Suite")
Returns true of the request/response is associated with the Proxy tool type. This is also controllable via the UI, but it may be useful to have here too.
(from-proxy)