Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How to change the Authorization header in scanner rule?

Hans | Last updated: Aug 17, 2017 06:17PM UTC

I'm attempting to perform an active scan on a few requests that don't have the current authorization header. Every response in the logger++ output shows a 401 unauthorized because each scanner request is using an invalid auth header. I've looked at the rules creation wizard in the project options -> sessions tab, but it only allows you to modify cookies or parameters, not header values. Is there any way I can make the scanner modify an Authorization header for each request?

PortSwigger Agent | Last updated: Aug 18, 2017 09:30AM UTC

Thanks for your inquiry. Can I ask what authorization header your app uses? It's helpful to know about less-common authentication systems. You could try the Extended Macro session. This does have the ability to replace and create header values. If you're prepared to do a bit of coding, this sample extension should do roughly what you need, although you may need to modify the code. - https://github.com/PortSwigger/example-custom-session-tokens We do intend to make this a core feature. Please let us know if you need any further assistance.

Burp User | Last updated: Dec 14, 2018 01:51AM UTC

Has this been made a core feature and if so where is it?

PortSwigger Agent | Last updated: Dec 14, 2018 08:00AM UTC

This hasn't been made a core feature as yet. We've been working more on the new crawler which takes away the need for session handling rules, in many cases. There is now an "Add Custom Header" extension which does this, and is a bit simpler than Extended Macro.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.