Sticky Burp, Reusable and Replacable Environment Variables
.. Use native burp notes, no more notes.txt
! 🤙
Note BApp Store submission is currently in progress. Once approved, the extension will be available directly through Burp Suite's BApp Store.
StickyBurp is a Burp Suite extension that allows you to create and manage "stickies" (aka Global per-project Environment Variables) from highlighted/selected text across different Burp Suite tabs (think of this extension as the same functionality you get in an API testing and development tool to store variables with raw values that can be used across different views).
This functionality gives you the power to easily store variables in a table and then replace existing payload contents with these variables (ie, in the Repeater or Intruder tab). Common example use-cases for storing and replacing are:
- Exploit Server URL / Collaborator URL
- Authentication tokens/cookies (ie similar to manually testing autorize)
- UUIDs, user accounts, emails/PII etc.
- Dynamically created content from an application's response
- IE
SECRET_TOKEN
values (see lab Lab: Exploiting PHP deserialization with a pre-built gadget chain)
- IE
Simply highlight the payload content, right-click and either add, update or replace: (skip to the demo usage)
- stickyburp
- ToC
-
Sticky Management
- Create and store stickies (AKA global environment variables) from any selected text in Burp Suite request/response panes
- Stickies store name, value, source information and your own notes
- Replace the values in Repeater tab with the raw value of the previously saved sticky
- Copy stickies values to clipboard with right-click
- Stickies can be colored for easier visibility and are by default colored
- Stickies are persisted across projects even when burp is quit and reopened
-
Context Menu Integration
- Right-click selected text to create new stickies
- Quick access to update existing stickies
- Source tracking shows which HTTP request the stickies came from
- Works in Burp tools for both HTTP Requests and Responses (Proxy, Repeater, Target (Site Map) etc.)
-
Dedicated UI Tab
- Table view of all stored stickies
- Shows stickies name, value, source and your notes
-
Hotkeys/Shortcuts (No more clicks!)
- Automatically switch to the StickyBurp tab using "
CMD
"("Control
" for Windows users)+"Shift
"+"S
" - Invoke the keys "
CMD
"("Control
" for Windows users)+"Shift
"+"A
" to add a new Sticky
- Automatically switch to the StickyBurp tab using "
Selecting and storing stickies from the Proxy tab
Using stored stickies in Repeater requests
Quick stickies replacement in action
- JDK 21 or lower
- Gradle (included via wrapper)
- Clone the repository:
git clone https://github.com/yourusername/stickyburp.git
cd stickyburp
- Build the extension:
./gradlew shadowJar
The compiled extension JAR will be available at:
build/libs/stickyburp-all.jar
- Open Burp Suite
- Go to Extensions tab
- Click "Add" button
- Select "Extension type" as Java
- Click "Select file" and choose
build/libs/stickyburp-all.jar
- Click "Next" to load the extension
-
Creating Stickies:
- Select any text in Burp Suite (Proxy, Repeater, etc.)
- Right-click and choose "Add to stickyburp"
- Enter a name for your variable
- The variable will appear in the stickyburp tab
-
Using Stickies:
- Go to the stickyburp tab to view all stored stickies
- Click on a variable to copy its value
- Use copied values in any Burp Suite tool (Repeater, Intruder, etc.)
- Use quick replace to swap values in requests
-
Managing Stickies:
- View all stickies in the table
- See the source of each variable
- Copy values directly from the table
- Add new stickies manually if needed
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature
) - Commit your changes (
git commit -m 'Add some amazing feature'
) - Push to the branch (
git push origin feature/amazing-feature
) - Open a Pull Request
Core Functionality:
StickyVariable.kt
: Data class representing variables with name, value, and sourceStickyBurpTab.kt
: Main UI component managing the variable table and operationsStickyBurpContextMenu.kt
: Context menu integration for variable operationsStickyBurpHttpHandler.kt
: HTTP request/response handler for variable replacementStickyBurpExtension.kt
: Main extension entry point and initialization
Want to contribute? Check out our feature request template for ideas or to propose new functionality!
The project uses Gradle with Kotlin for building and testing.