Burp Suite User Forum

Login to post

Host header fuzzing does not work

Paulius | Last updated: Mar 03, 2023 08:04AM UTC

Hi! Using Burp Suite Pro v2023.1.3 Using Intruder to fuzz Host header value with UTF-8 chars, however in the results screen (Request) see that I'm sending only original header value (confirmed via same server response sizes and visually on Request window). Tried adding another header and fuzz the same payloads - works fine, visually shows up in Request window. Tried fuzzing post parameters - works fine. This is a bug in Burp. Could you check and fix please? Thanks!

Michelle, PortSwigger Agent | Last updated: Mar 03, 2023 03:04PM UTC

Hi Thanks for getting in touch. To help us replicate this here, can you send some screenshots showing you the Intruder attack setup to support@portswigger.net, please? Was it just the payloads with UTF-8 characters that were affected or were other payloads in the host header also affected? Did you have the option 'Update host header to match target' unchecked on all these tests?

You need to Log in to post a reply. Or register here, for free.