README Version: [English | 简体中文]
MaR (Matcher and Replacement) is an auxiliary project in the field of cybersecurity (vulnerability research), primarily used for precise matching and intelligent replacement of HTTP protocol packets. It can automatically modify HTTP request or response content based on user-defined rules when specific conditions are met, helping security researchers achieve automated data tampering during penetration testing.
The design concept of MaR originates from BurpSuite's native Match and Replace functionality, but provides more flexible and powerful rule configuration capabilities, supporting conditional matching, regular expressions, multiple scopes, and other advanced features.
Notes:
- MaR is developed using the
Montoya API. You need BurpSuite version (>=2023.12.1) to use it.
Plugin Installation: Extender - Extensions - Add - Select File - Next
When you load MaR for the first time, it will automatically create the configuration file Config.yml and rules file Rules.yml:
- For Linux/Mac users:
~/.config/MaR/ - For Windows users:
%USERPROFILE%/.config/MaR/
In addition, you can also choose to place the configuration files in the /.config/MaR/ directory under the same folder as the MaR Jar package, for easier offline portability.
You can select text in the HTTP request/response editor, right-click and choose "Create MaR Rule" to quickly create a rule. The selected text will be automatically filled into the condition and match fields.
Rule Configuration Items:
| Item | Description |
|---|---|
| Name | Rule name, used to identify the rule |
| C-Scope | Condition scope, specifies which part to check the condition |
| Relationship | Match relationship, supports "Matches" and "Does not match" |
| Condition | Condition content, used to determine whether to execute replacement |
| C-Regex | Whether the condition uses regular expression |
| M-Scope | Replacement scope, specifies which part to execute replacement |
| Match | Match content, the content to be replaced |
| Replace | Replace content, the new content after replacement |
| M-Regex | Whether the replacement uses regular expression |
Supported Scopes:
request- Full requestrequest method- Request methodrequest uri- Request URIrequest header- Request headersrequest body- Request bodyresponse- Full responseresponse status- Response status coderesponse header- Response headersresponse body- Response body
Configuration Management:
- Exclude suffix - Exclude requests with specified suffixes to avoid processing static resources
- Block host - Exclude requests to specified domains
- Scope - Select which BurpSuite modules MaR applies to (Proxy, Repeater, Intruder, etc.)
| Interface Name | Interface Display |
|---|---|
| Rules | |
| Config |
- Parameter Tampering - Automatically modify request parameter values based on conditions
- Response Modification - Modify response content to bypass frontend validation
- Request Injection - Automatically add or modify request/response headers
We appreciate everyone's support for the project. The following list is sorted based on the time of appreciation and is not in any particular order. If there are any omissions, please contact the project author for additions.
| ID | Amount |
|---|---|
| 柯林斯 | 888.00 CNY |
| JaveleyQAQ | 50.00 CNY |
| Kite | 20.00 CNY |
| ArG3 | 66.00 CNY |
| 祝祝 | 288.00 CNY |
| 洺熙 | 88.88 CNY |
| 秋之 | 99.00 CNY |
| Redbag | 66.00 CNY |
| 毁三观大人 | 200.00 CNY |
| 朽木 | 200.00 CNY |
If you find MaR useful, you can show your appreciation by donating to the author, giving them the motivation to continue updating and improving it!