Professional

Creating HTTP match and replace rules with scripts

Last updated:November 18, 2025
Read time:4 Minutes

You can create powerful match and replace rules using Java-based scripts. These enable you to perform custom modifications to HTTP messages as they pass through Burp's proxy.

You can apply scripts in the following ways:

Load existing scripts - Load scripts from your Bambda library. This is your personal collection of reusable scripts. It includes any scripts you've created and saved, or ones you've imported, for example, from our GitHub repo. For more information, seeImporting scripts.
Create new scripts - Write your own custom scripts. To get started quickly, use one of the built-in templates, which work without modification.

Keyboard shortcuts

To speed up your workflow when creating or loading scripts, you can use the following keyboard shortcuts:

Save -Ctrl + S orCmd + S
Save as -Ctrl + Shift + S orCmd + Shift + S
Create new script -Ctrl + N orCmd + N
Load recent script -Ctrl + O orCmd + O

Loading scripts from your library

You can load and apply scripts that are stored in your library to add a new rule.

To load a script from your Bambda library:

InProxy > Match and replace, clickAdd to open theAdd match/replace rule window.
In theAdd match/replace rule window, clickScript mode.
ClickLoad.
Select a recent script from the list.
If the script you want to load isn't in the list, clickView all to view all scripts stored in your library.
1. Select a script.
2. Click Load.
[Optional] If required, edit the script:
1. Make your changes.
2. Test the rule using the built-in test function. For more information, seeTesting HTTP match and replace rules.
3. Save your changes:
  - To overwrite the existing script, clickSave to library > Save.
  - To save a new version, clickSave to library > Save as.
ClickOK.

If the script is error-free, it's added to theHTTP match and replace rules table and automatically enabled for the current project.

If errors exist, they appear in theCompilation errors panel. You'll need to fix these before you can add the script to the table. For more information, seeTroubleshooting scripts.

Creating custom scripts

You can write your own scripts directly in theAdd match/replace rule window, using built-in templates or from a blank definition.

Note

Before you begin writing, we recommend exploring ourBambdas GitHub repository. There may be an existing script that meets your needs or provides inspiration for creating your own.

Two objects of the Montoya API are available to help you write your script:

ProxyHttpRequestResponse
Utilities

The script must return either theHttpRequest orHttpResponse object.

For advanced use cases, you can also access a subset of the Montoya API functionality. This enables you to create more complex script.

Warning

Use the Montoya API functionality carefully when creating match and replace scripts. While we've restricted access to known dangerous functionality, certain methods may still potentially impact Burp's performance or cause memory leaks.

To create a script to add a new rule:

InProxy > Match and replace, clickAdd to open theAdd match/replace rule window.
In theAdd match/replace rule window, clickScript mode.
If you want to create your script from a built-in template, selectNew > From template. Select a template from the list, then clickCreate using this template.
Write your script using Java.
Test the rule using the built-in test function. For more information, seeTesting HTTP match and replace rules.
[Optional] ClickSave to library > Save. The script is saved to your Bambda library for future use across Burp.
ClickApply & close.

If the script is error-free, it's added to theHTTP match and replace rules table and automatically enabled for the current project.

If errors exist, they appear in theCompilation errors panel. You'll need to fix these before you can add the script to the table. For more information, seeTroubleshooting scripts.

Warning

Using slow running or resource-intensive scripts can slow down Burp. Write your script carefully to minimize performance impact.

Example scripts

In the example below, we'll create aRequest script that forces all HTTP requests tohttps://ginandjuice.shop and adds aUser: Admin header.

In this example, our script is:

return requestResponse.request()    .withService(HttpService.httpService("https://ginandjuice.shop"))    .withAddedHeader("User", "Admin")    .withUpdatedHeader("Host", "ginandjuice.shop");

In the example below, we'll create aResponse script that uses theMontoyaAPI functionality to send items to Organizer with the note "Cached response" when they meet the following criteria:

The response has anX-Cache header with a value ofHit.

In this example, our script is:

if(requestResponse.response().headerValue("X-Cache").contains("Hit")) {    api().organizer().sendToOrganizer(HttpRequestResponse.httpRequestResponse(requestResponse.request(), requestResponse.response(), Annotations.annotations("Cached response")));}return requestResponse.response();

To get feedback, showcase your work, and connect with other developers, share your script on ourPortSwigger Discord #bambdas channel.
To share your scripts with the community, add them to our ever-growing GitHub repository. For more information, seeSubmitting scripts to our GitHub repository.

Movatterモバイル変換

Professional and Community Edition

Creating HTTP match and replace rules with scripts

Keyboard shortcuts

Loading scripts from your library

Creating custom scripts

Note

Warning

Warning

Example scripts

Related pages