Published 8 months ago • Last updated September 23, 2025 • ⏱️ 4 min read
I finally found some time to work through Hackvertor issues - cut the backlog from 20 down to 6. There were a bunch of interesting bugs and several good feature requests; one in particular stands out:
This idea came from Soroush Dalili (he called it "Hackvertor profiles"). I renamed it Hackvertor Tag Automator because that name describes the feature more precisely.
Tag Automator lets you use Python to inspect a request or response, detect data, and automatically wrap matched parts in Hackvertor tags. In the analysis stage your Python code locates data and returns start/end positions (you can return multiple matches). Any matches are passed to the modification stage, where another Python snippet can decode the data and wrap it with the appropriate tags. It’s a simple way to automate repetitive conversions and speed up your workflow.
We’ll use JWT as an example. The example automation finds JWT tokens in a request, decodes them, and wraps decoded values with tags. Tag Automator supports two rule types: Context Menu and HTTP.
We want this rule to run from the right-click menu, so we’ll create a Context Menu rule. Steps:
This creates a rule that operates on the request and appears in the context menu when you right-click. Try it with a request that contains a JWT token - here’s a sample token you can use:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.7TNtfdcRCraA6JxwuKlByAryTktb653DD-Ve951DHSY
To test in Repeater:
https://portswigger-labs.net) then replace the host/URL as needed.token and paste the JWT above as the header’s value.If successful, the JWT will be decoded and the decoded parts will be wrapped with Hackvertor tags - a real time saver when you’re working with many tokens.
Tag Automator is built on Hackvertor’s custom tag system, and it’s possible to call Burp’s AI functionality directly from Python using the provided convert() function. Choose the AI example instead of jwt to see this in action. In the modification script an example looks like:
temp = "1.0" prompt = "Crack this hash" decoded = convert("<@ai('" + temp + "','" + prompt + "','" + executionKey + "')>" + input + "</@ai>") output = "<@md5>" + decoded + "</@md5>"
temp sets the temperature for the AI call.prompt is the instruction sent to the AI.convert() wraps a Hackvertor AI tag and sends input for processing; it requires the executionKey.input — provided automatically by Hackvertor; contains the matched input.executionKey — the tag execution key used to protect tags that perform sensitive operations.output — whatever you assign to this becomes the result Hackvertor inserts.You can call convert() from custom tags as well - combining automation and AI makes Hackvertor especially powerful.
I’ve added find-and-replace functionality for both the input and output in Hackvertor. To use it, open the main Hackvertor tab, click the Search tags combo box beneath the buttons, and select find & replace input or find & replace output.
When making an HTTP request in Repeater you can use context tags to access parts of the request (body, headers, etc.) from inside a tag. I added a context_request tag that returns the entire HTTP request (start-line, headers and body) so you can inspect or transform the full message from within Hackvertor.
There are been many more improvements and bug fixes I'll list a few
I tried to resolve as many issues as I could and I hope you enjoy this release! You can grab it from the BApp store: Hackvertor v2.1.24