# Match Replace Burp
Useful Match and Replace BurpSuite Rules
## Finding hidden buttons, forms, and other UI elements
Many websites contain hidden buttons, forms, and other UI elements like
```html
```
* Show Hidden UI (1)
* Show Hidden UI (2)
* Change disable to enable
## Changing `false` to `true`
Sometimes we can get hidden features by changing from `false` to `true`. The example:
* Changing role from normal user to admin
* Make email verified
## Bypass WAF
Bypassing WAF by adding some headers
* Adding `X-Forwarded-Host: 127.0.0.1`
> Create another rule but change the header to:
```
X-Forwarded-Port: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-Scheme: 127.0.0.1
X-Frame-Options: Allow
X-Forwarded-For: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Cluster-Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Client-IP: 127.0.0.1
Origin: null
Origin: Domain.attacker.com
```
## Finding IDOR
By changing original user UUID to another UUID
> Create another rule but change the `type` to "Request First Line"
## Finding XSS
By adding some XSS payload into the request
* Finding XSS on `User-Agent`
* Finding XSS on `Referer`
* Auto replace user input with XSS payload
> So by just inputting the words `xss_payload` on the website it will be immediately replaced with `">`
> Change the XSS payload as you want
## MISC
Some random match and replace rules
* Finding [CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q)
> Create some another rules to look for them in headers, parameters and more. Because log4j can be found anywhere
* Help companies to identify your traffic and separate them from malicious traffic by adding a custom header
References:
- https://twitter.com/PTestical/status/1413497660133318659
- https://twitter.com/HolyBugx/status/1355472991061213184
- https://twitter.com/intigriti/status/1192103070072741894
- https://twitter.com/payloadartist/status/1469582893772984322
- https://twitter.com/payloadartist/status/1422247377516122114
- https://twitter.com/hackerscrolls/status/1247177578269597698
> Soon will be updated again
* Show Hidden UI (2)
* Change disable to enable
## Changing `false` to `true`
Sometimes we can get hidden features by changing from `false` to `true`. The example:
* Changing role from normal user to admin
* Make email verified
## Bypass WAF
Bypassing WAF by adding some headers
* Adding `X-Forwarded-Host: 127.0.0.1`
> Create another rule but change the header to:
```
X-Forwarded-Port: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-Scheme: 127.0.0.1
X-Frame-Options: Allow
X-Forwarded-For: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Cluster-Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Client-IP: 127.0.0.1
Origin: null
Origin: Domain.attacker.com
```
## Finding IDOR
By changing original user UUID to another UUID
> Create another rule but change the `type` to "Request First Line"
## Finding XSS
By adding some XSS payload into the request
* Finding XSS on `User-Agent`
* Finding XSS on `Referer`
* Auto replace user input with XSS payload
> So by just inputting the words `xss_payload` on the website it will be immediately replaced with `">`
> Change the XSS payload as you want
## MISC
Some random match and replace rules
* Finding [CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q)
> Create some another rules to look for them in headers, parameters and more. Because log4j can be found anywhere
* Help companies to identify your traffic and separate them from malicious traffic by adding a custom header
References:
- https://twitter.com/PTestical/status/1413497660133318659
- https://twitter.com/HolyBugx/status/1355472991061213184
- https://twitter.com/intigriti/status/1192103070072741894
- https://twitter.com/payloadartist/status/1469582893772984322
- https://twitter.com/payloadartist/status/1422247377516122114
- https://twitter.com/hackerscrolls/status/1247177578269597698
> Soon will be updated again