Burp community forum

How do I change a http header value for active scan with stored state file?

Pauline | Last updated: May 06, 2015 03:26PM UTC

Hi, One of applications I am testing is using authorization header for authentication. I stored the state and want to use it for active-scan next time. Would you advise me how to change the authorization header value in stored request messages? Thank you in advance.

PortSwigger Agent | Last updated: May 07, 2015 02:49PM UTC

There isn't currently a trivial way to do this in Burp's native functionality. We have a pending feature request to support automatic modification/addition of HTTP headers via session handling rules (similar to the way they work for parameters), which would work nicely for this task. In the meantime, I can think of two workarounds: 1. Chain a second instance of Burp as upstream proxy from the first, and configure Proxy match/replace rules to add/rewrite the header. 2. Write a quick extension to register an IHttpListener, and modify each outgoing request as required.

Burp User | Last updated: May 13, 2015 04:04PM UTC

Can you advise as to the 2nd workaround? I want to know how I can modify the header value and build the request with it again. Thanks!

Burp User | Last updated: May 13, 2015 08:02PM UTC

Please don't mind the previous request. I successfully made the extension. Thanks.

PortSwigger Agent | Last updated: May 14, 2015 07:57AM UTC

Hi Peter, Unfortunately, no progress so far. However, you can use the Custom Parameter Handler extension in the BApp Store.

Burp User | Last updated: Dec 18, 2017 10:31PM UTC

Any progress on including this in the session handling rules? It was the first place where I looked for it and was surpised not finding it...

Burp User | Last updated: Feb 20, 2018 01:36AM UTC

try this https://github.com/deadstar1/BearerAuthToken

You need to Log in to post a reply. Or register here, for free.