Custom actions are powered by Bambdas, which are snippets of code that run directly from Burp's interface. You can write your own Bambdas using Java to meet your specific testing requirements.
Before you begin writing, gather inspiration and check for existing solutions:
Explore our Bambdas GitHub repository - You may find an existing Bambda that already meets your needs or provides inspiration for writing your own.
Join the conversation - Connect with other Bambda developers on the PortSwigger Discord#bambdas channel to discuss ideas and get feedback.
Review our acceptance criteria - If you plan to submit your Bambda to our GitHub repository, check our submission guidelines to make sure it meets our acceptance criteria.
You can create new Bambdas using built-in templates or from a blank definition.
Seven objects of the Montoya API are available to help you write your custom action Bambdas:
HttpRequestResponse
RequestResponseSelection
HttpEditor
MontoyaApi
Utilities
Logging
Ai
Before creating a custom action, it's a good idea to make sure the Repeater tab contains a request / response pair that you've sent and want to test the custom action against. This is so the testing function has access to a valid request, response, and HTTP service. For more information, see How Burp selects test data.
To create a new custom action:
In Repeater, click Custom actions. The Custom actions side panel opens.
Click New and select either Blank or From template. The Custom actions editor dialog opens.
If you selected From template, select a Custom action template from the list, then click Create using this template.
Write your custom action Bambda using Java. For more information, see Writing custom actions.
Test the custom action using the built-in test function. For more information, see Testing custom actions.
[Optional] Click Save to library > Save. The Bambda is saved to your Bambda library for future use.
Click OK.
If the Bambda is error-free, it's added to the Custom actions side panel.
If errors exist, they appear in the Compilation errors panel. You'll need to fix these before you can add the Bambda to the list. For more information, see Troubleshooting Bambdas.
To speed up your workflow, you can use the following keyboard shortcuts to save your Bambda to the Bambda library:
Save to library - Ctrl + S or Cmd + S
Save copy to library - Ctrl + Shift + S or Cmd + Shift + S
Using slow running or resource-intensive Bambdas can slow down Burp. Write your Bambda carefully to minimize performance impact.
When adding or editing a custom action Bambda, you can test its behavior using the built-in test function. This enables you to confirm that the action performs as expected.
To test a custom action Bambda in the Custom actions editor:
Review the sample message under Request. Optionally, replace it with the specific request you'd like to test the rule against.
Click Test. Burp runs the custom action Bambda on the sample message.
Review any output in the Console tab.
Adjust the custom action as necessary.
To restore the sample message, click .
The test function automatically uses the open request, response, and HTTP service from the current Repeater tab when you open the Custom actions editor.
The HTTP service is the destination host, port and protocol. For example, https://example.com:443. If this information isn't available, Burp uses a null HTTP service instead. This can impact how your custom action behaves during testing, especially if it:
Makes follow-up requests.
Logs information about the target service.
Processes messages based on host or protocol.
#bambdas channel.