Replicator helps developers to reproduce issues discovered by pen testers. The pen tester produces a Replicator file which contains the findings in the report. Each finding includes a request, associated session rules or macros, and logic to detect presence of the vulnerability. The tester sends the Replicator file to the client alongside the report. Developers can then open the file within Burp and replicate the issues. When vulnerabilities have been fixed, Replicator provides confirmation that the attack vector used in the pen test is now blocked. A retest is still recommended, in case alternative attack vectors remain exploitable.

Developer workflow

Load the Replicator file. If you want to test a different application instance (perhaps a development instance) edit the Hosts section to point to the instance. Click Test all. All the vulnerabilities should get status Vulnerable. If any do not, you need to investigate why. You can use the Start Trace button to generate a trace file that may help the pen tester diagnose the issue. Save the file. This is important for confirming fixes later. Identify an issue to work on. Consult the pen test report for a full description. When the application has been updated, click Test to see if it's still vulnerable.

Issues can have the following status:

Vulnerable - The application is still vulnerable.

- The application is still vulnerable. Resolved (tentative) - The vulnerability appears to be resolved. Replicator cannot confirm this with certainty; a retest is required for that.

- The vulnerability appears to be resolved. Replicator cannot confirm this with certainty; a retest is required for that. Unable to replicate - It wasn't possible to determine if the application is vulnerable. This may be because credentials are invalid. Some fixes (e.g. removing the whole page) can cause this.

Tester workflow