BlackMarker #287
Description
Extension URL
https://github.com/12345qwert123456/BlackMarker
Version number
1.0.0
Select additional compatible products and features
- Community
- DAST
- Burp AI
Author display name
Nikitin Timofey
Contact details (optional)
No response
Discord username (optional)
No response
I confirm that the following is true:
- I have permission from all relevant persons to submit this extension to the BApp Store for public use, under the terms and conditions of the EULA.
- I have read and understood the submission requirements for the BApp Store.
Extension overview
BlackMarker adds a "BlackMarker" tab to every HTTP message editor (Proxy, Repeater, Intruder, etc.) that visually masks sensitive data without modifying the actual HTTP traffic. It's designed for safe screen sharing, live demos, and screenshots during security assessments.
Key features
- 60+ built-in regex rules covering PII, auth tokens, passwords, infrastructure secrets, and crypto keys
- Shannon entropy-based detection for random-looking secrets
- Auto-learn: automatically tracks session cookies, CSRF tokens, and auth tokens from live traffic
- Click-to-reveal: click any masked region to toggle the original value
- Right-click manual masking with auto-learn integration
- Color-coded categories (PII, Auth, Infrastructure, Crypto, Session, Custom)
- Customizable mask character, per-category colors, monochrome mode
- Rule import/export in JSON format
- Full persistence via Burp Persistence API
Usage instructions
Step 1. Install the extension
Download or build BlackMarker-1.0.0.jar
In Burp Suite, go to Extensions → Installed → Add
Set Extension type to Java, select the JAR, click Next
Confirm "BlackMarker loaded" appears in the output tab
Step 2. View masked traffic
Browse a target website through Burp Proxy to capture HTTP traffic
Select any request or response in Proxy, Repeater, or other tools
Click the "BlackMarker" tab (next to Raw / Headers / Hex)
Sensitive data (emails, tokens, passwords, IPs, etc.) is automatically masked with colored highlights
Step 3. Click to reveal original values
In the BlackMarker tab, click any masked (highlighted) region
The original value is revealed with an underline
Click again to re-mask it
Step 4. Manually mask additional text
Select any text in the BlackMarker view
Right-click → "█ Mask selection"
The selected value is masked and added to auto-learn (it will be masked in all future messages)
Right-click → "✖ Clear manual masks" to undo manual masks
Step 5. Use toolbar controls
Masking On/Off — toggle masking entirely
Copy Masked — copy the masked text to clipboard for safe sharing
Wrap — toggle line wrapping for long lines
Hide Headers — collapse standard headers (Accept, User-Agent, etc.) to focus on interesting ones
Step 6. Manage rules
Go to the main BlackMarker tab in Burp's top-level tabs
Open the Rules sub-tab to view all 60+ built-in rules
Add custom rules with Add Rule, test regex live before saving
Use Import/Export to share rules in JSON format
Step 7. Configure settings
In the main BlackMarker tab, open the Settings sub-tab
Change the global mask character, enable monochrome mode, or configure truncation
Click category color cells to customize foreground/background colors
Adjust entropy detection threshold for secret detection sensitivity
Step 8. Monitor auto-learned values
Open the Auto-Learn sub-tab
View all automatically tracked session cookies, CSRF tokens, and auth tokens
Manually added masks also appear here
Clear tracked values when starting a new assessment
Template identifier (Internal use only - please ignore)
- template:01-submit-extension