LevelUp+ Pentesting is a Burp Suite extension that supercharges your pentesting workflow.
It lets you define named variables with ((variable_name)) syntax, auto-change value to ((variable_name)) when you sent it to repeater, auto-extract values from responses using regex, and sends every request through a substitution layer — so tokens, cookies, and dynamic values stay up-to-date without manual copy-paste.
Version 2.0 adds a full Spider & Endpoint Mapper that crawls your target, discovers links, forms, and JavaScript-defined API endpoints, and sends any of them directly to Repeater with one click.
Using shortcut Ctrl+Shift+Q or When you right-click → "Send to LevelUp+ Pentesting", the new Repeater tab is automatically named after the last path segment of the URL.
POST /api/v1/login → tab: "login"
GET /user/profile → tab: "profile"
Highlight any value in a request, then do shortcut Ctrl+Shift+Q or right-click → "Send to LevelUp+ Pentesting".
The selected text is replaced with ((variable_name)) — where variable_name is whatever you set in the extension's settings tab.
Authorization: Bearer eyJhbGc...
↓ highlight token, right-click ↓
Authorization: Bearer ((token))
Every time you click Send in Repeater (or any Burp tool), the extension intercepts the outgoing request via IHttpListener and substitutes all ((name)) placeholders with the values stored in the Variables table.
Request: POST /api/login
Body: {"token": "((token))", "session": "((session_id))"}
Sent as: POST /api/login
Body: {"token": "abc123xyz", "session": "sess-9f8e7d"}
The LevelUp+ Pentesting tab (at the top-level Burp menu bar) contains a table where you can manually add, edit, or remove variables.
| Variable | Value |
|---|---|
token |
abc123xyz |
session_id |
sess-9f8e7d |
csrf |
tok-0192abc |
Every Burp message editor (Repeater, Proxy, etc.) gets a new "LU+ Extract" tab alongside Pretty / Raw / Hex / Inspector.
Define extraction rules:
| Variable | Regex | Group | Last Match |
|---|---|---|---|
token |
"access_token"\s*:\s*"([^"]+)" |
1 | ✓ abc123xyz |
csrf |
name="csrf" value="([^"]+)" |
1 | ✓ tok-0192abc |
session_id |
Set-Cookie: session=([^;]+) |
1 | ✓ sess-9f8e7d |
data |
data":"(.*)" |
1 | ✓ Your data |
On every response received, each rule is evaluated. If the regex matches, the captured group is automatically written into the Variable table — ready to be substituted on your next request.
After sending a request to LevelUp+ Pentesting, Burp automatically switches focus to the Repeater panel and selects the newly created tab — no manual tab hunting needed.
Select any text in any editor pane (Repeater, Proxy, etc.) and do shortcut Ctrl+Shift+W. The selected text is copied directly into the value of the active variable (ext._var_name) in the Variables table.
A built-in BFS web crawler accessible from the LevelUp+ Pentesting suite tab.
Links tab — every crawled URL with status code and depth.
| Pattern | Depth | Status | Path |
|---|---|---|---|
/user/<ARGS> |
2 | 200 | /user/42 |
/product/stock |
3 | 200 | /product/stock |
Forms tab — all HTML forms with action, method, pre-filled parameters, and detected content-type.
| Action | Method | Parameters | Content-Type |
|---|---|---|---|
/login |
POST | username=, password=, csrf=abc123 |
|
/product/stock |
POST | productId=, storeId= |
application/xml|stockCheck |
/upload |
POST | file=, description= |
multipart/form-data |
JS Endpoints tab — API calls extracted by static analysis of JavaScript files.
| Endpoint | Method | Params | Source |
|---|---|---|---|
/api/v2/user |
GET | app.js |
|
/api/cart |
POST | productId, qty |
cart.js |
Send to Repeater — select any row in any tab and click Send to Repeater. The extension builds the correct request automatically:
- JSON body for
application/json - XML body for
application/xml(root element auto-detected from JS) - Multipart body for
multipart/form-data - URL-encoded body for plain POST
- Query string for GET
- Pre-filled parameter values (including CSRF tokens) are preserved from the HTML response
Proxy History reuse — if the URL was already visited in the browser, the spider and Send to Repeater reuse that request's exact cookies and headers instead of sending a bare synthetic request. This is critical for bot-protected and authenticated pages.
Redirect following — the spider automatically follows 3xx redirects (same-host only), logs the original URL as 302 and the final destination separately.
Static asset filtering — CSS, images, fonts, and other non-HTML resources are excluded from the Links table automatically.
- Download
extension.py - Open Burp Suite → Extensions → Installed → Add
- Set Extension type to
Python - Select the
extension.pyfile → Next - Confirm: output should show
[LU+] loaded.
Requirement: Burp Suite must be configured with a Jython standalone JAR. Download from jython.org and set the path under Extensions → Options → Python environment.
1. Open the "LevelUp+ Pentesting" suite tab → click "Spider" subtab
2. Enter a target URL (e.g. https://example.com) and click Start
3. The crawler discovers:
- All in-scope links (Links tab)
- All HTML forms with parameters and content-type (Forms tab)
- All JS-defined API endpoints (JS Endpoints tab)
4. Select any row → click "Send to Repeater"
The request is built with the correct method, headers, and body automatically.
If the URL exists in your Proxy History, the real browser request is reused
(including cookies, headers, and User-Agent).
1. In Proxy History or anywhere in Burp:
→ Right-click a request → "Send to LevelUp+ Pentesting"
2. The request opens in a new Repeater tab named after the endpoint.
3. Highlight a dynamic value (e.g., a token) → Right-click → "Send to LevelUp+ Pentesting"
→ The value becomes ((token)) (or whatever name you configured)
4. Go to the "LevelUp+ Pentesting" suite tab
→ Set the value for "token" in the Variables table
5. Click Send in Repeater — the placeholder is substituted automatically.
1. Open "LU+ Extract" tab in any Repeater/Proxy message editor
2. Add a row:
Variable: token
Regex: "access_token"\s*:\s*"([^"]+)"
Group: 1
3. Every time a response arrives, if the regex matches,
"token" in the Variables table is updated automatically (open LU+ Extract tab first for check it success for grep the value).
4. Your next request using ((token)) will carry the fresh value.
Step 1: POST /auth/login
→ LU+ Extract captures "access_token" → saves to token
Step 2: GET /api/user
Authorization: Bearer ((token))
→ On Send, ((token)) is replaced with the extracted value automatically
Open the LevelUp+ Pentesting tab in the Burp Suite main menu bar.
| Setting | Description |
|---|---|
| Variable name for selection | The variable name used when you highlight text and send to extension. Default: var1 |
| Variables table | Name → Value pairs. Manually add/edit/remove variables. Auto-updated by LU+ Extract rules. |
This extension was built with ideas from two great projects:
-
burp_variables by
0xceba— The concept of defining named variables inside Burp requests with a placeholder syntax. -
Stepper by
C0DEbrained— The idea of using regex rules to extract values from responses and chain them across requests.
- v2.0 Spider & Endpoint Mapper
- BFS web crawler with Links, Forms, and JS Endpoints tabs
- HTML form parsing: captures pre-filled field values (CSRF tokens etc.)
- Content-type detection: JSON, XML (root element auto-detected from JS), multipart/form-data
- JS static analysis: extracts
fetch(), XHR, axios, jQuery AJAX calls - Page-level JS context: detects
window.contentTypeand XML builder patterns - Send to Repeater builds correct body for each content-type
- Proxy History reuse: spider and Send to Repeater use real browser requests when available
- Redirect following: 3xx same-host redirects followed automatically
- Static asset filtering: CSS, images, fonts excluded from Links table
- Unquoted HTML attribute support
- v1.2 Add shortcut Ctrl+Shift+W
- select text in any editor pane (Repeater, Proxy, etc.) and do shortcut Ctrl+Shift+W. The selected text is copied directly into the value of the active variable (ext._var_name) in the Variables table.
- v1.1 Add shortcut Ctrl+Shift+Q
- send request to repeater
- v1.0 init
blacowhait — github.com/blacowhait
"Plus Ultra" — keep breaking through.