Burp Suite User Forum

Create new post

Allow extensions to modify proxy history

Tom | Last updated: Sep 01, 2017 02:59PM UTC

I was attempting to create an extension that would offer an option to automatically censor passwords or particular secrets within the Proxy HTTP History. Unfortunately, this does not appear to be possible, because the Burp API does not allow modifications to the history: an UnsupportedOperationException is thrown with the message "Proxy history is read-only" when I try to call IHttpResponse.setRequest. Is it really necessary to prohibit extensions to make changes to requests/responses within the history? If not, could this be allowed in a future release?

PortSwigger Agent | Last updated: Sep 04, 2017 09:01AM UTC

Hi Tom, Thanks for your inquiry. We've discussed this internally. We feel that the proxy should be a historical record of communication, which means it's immutable. Also, Burp projects are likely to contain lots of confidential data, so even with a password scrubber, the files would still need to be treated sensitively. So I'm afraid we won't be making the history mutable at this point. Please let us know if you need any further assistance.

Burp User | Last updated: Sep 05, 2017 03:01PM UTC

Hi Paul, Thank you. I can understand why this decision was made. I still do think, however, that the ability to scrub passwords would be useful. There are use cases where passwords (or other authentication material that is valid beyond the duration of a single session) have a higher level of sensitivity than the rest of the history, and where these can not be changed directly after an investigation. However, I did just find out the user interface provides an option to delete items from the history. In combination with the search function, this is sufficient for the purpose I originally wanted to implement a password scrubber. So basically, my problem is already solved now.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.