Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

include JWT Token

Allen | Last updated: Jul 11, 2019 09:06PM UTC

How can I include custom headers in burp enterprise. I have several applications that are rest APIs and without JWT in an authorization header you just get 403. So no meaningful scan can be conducted.

Rose, PortSwigger Agent | Last updated: Jul 15, 2019 08:20AM UTC

Allen, have you tried using the Add Custom Header extension? - https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc

Burp User | Last updated: Jul 15, 2019 03:17PM UTC

Will the add custom header extension work in Burp Enterprise?

Rose, PortSwigger Agent | Last updated: Jul 16, 2019 06:29AM UTC

Allen, I do apologise, I missed that you were talking about the Enterprise Edition. At the moment this won't work, but we do have a story in our development backlog to support this. I'm registering your interest, which should help to get the story prioritised. Unfortunately, we can't tell you when this will be implemented, but we will be sure to let you know when it is.

Burp User | Last updated: Jan 25, 2020 10:37PM UTC

Hi, any progress on this request?

Ben, PortSwigger Agent | Last updated: Jan 27, 2020 08:26AM UTC

Hi, This functionality is still in our development backlog. We will update this thread once we have some more news.

Ian | Last updated: Jan 19, 2022 02:18PM UTC

Hello, I'm after updates too, can Burp Suite Enterprise handle JWT in bearer and custom headers yet? I have a client with several apps all using signed JWT extensively and Burp Suite Enterprise doesn't work with them.

Uthman, PortSwigger Agent | Last updated: Jan 19, 2022 08:44PM UTC

Hi Ian,

The functionality still hasn't been added but it is on our radar.

Now that extensions are supported in Enterprise, you could try writing one to handle this. A colleague and I have written a basic one to add custom headers to requests and you can find this below:


Feel free to make any changes and use that (or any extension on the BApp Store) as a starting point.

Extensions like the ones below may be of interest to you but please note that Enterprise does not support extensions with UI elements (e.g. use of Swing components to create a tab):


We'll update this thread when native support for custom headers has been added. Thank you all for your patience!

Sam | Last updated: Mar 15, 2022 04:26PM UTC

We would vote to have your product team to prioritize this topic because we rely upon JWT tokens for all of our APIs.

Uthman, PortSwigger Agent | Last updated: Mar 15, 2022 05:43PM UTC