Burp community forum

IRequestInfo getHeaders

roelstorms | Last updated: Dec 03, 2015 03:08PM UTC

Why does the getHeaders method return a list<String> instead of a HashMap<String,String>. I think that everyone using getHeaders is now doing extra parsing on the list of strings since the normal usage would be something like this: headers = info.getHeaders(); String content-length = headers.get("content-length"): The List<String> is really unpractical and I am converting from and to the list, to use the BurpSuite API's with my extension. I believe a lot of errors will be introduced when everyone is parsing their own headers since the format of such headers is error prone (see RFC7230). What do you do with folded headers? What about whitespaces between header name and the ":". It isn't allowed anymore and according to the RFC introduced security vulnerabilities in the past. It would be even better if the request had options to add and remove headers. Now we need to get the headers, parse the headers, modify the headers, parse the headers, and create a new message with these parsed headers and the message body that is not available in the IRequestInfo object. This all seems like a lot of work when we want to modify a header. I would like to do something like this: void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo){ IRequest request = messageInfo.getRequest(); request.setHeader("name", "value"); messageInfo.setRequest(request); // Depending on if we got a copy or not. What are the reasons this isn't supported? Is it impossible to implement or because of performance issues? I know Tomcat allows web application developers to use versatile API's to read and modify headers. I something like this still on it's way for BurpSuite?

Burp User | Last updated: Dec 03, 2015 04:45PM UTC

How are folded headers passed on? Are these multiple entries in the list? The documentation does not mention how the headers are stored in the list. Is there any processing done on them like unfolding and combining multiple headers with the same name? What happens to the \n\r characters on the end of each line? The interface for reference: /** * This method is used to obtain the HTTP headers contained in the request. * * @return The HTTP headers contained in the request. */ List<String> getHeaders();

PortSwigger Agent | Last updated: Dec 04, 2015 08:50AM UTC

The list contains a string for each header in the HTTP message, in the original order. Line endings have been trimmed, but no other processing or analysis has been done, so you will see duplicates if the analyzed message contains duplicates. Agreed, it would be possible to provide a richer API. When we next have a major push on the API, we'll look into what other helper methods we could provide.

Burp User | Last updated: Dec 04, 2015 02:07PM UTC

I am building a request object on top of the IRequestInfo and the raw byte[]. I just find that there are a lot of weird decisions in the API. If I analyze the request, the body is not in the resulting IRequestInfo. So if I want to build a request I need to find the headers, which I can get from the IRequestInfo and the body which can be obtained by IRequestInfo.getBodyOffset() and the raw message itself. This means that during my program I need to keep these two in sync and keep track of them both. Personally I am now storing both in a Request object with the logic to take care of the above issues. I get the IRequestInfo for a lot of useful parsing and I store the body which is obtained from the byte[]. This new Request object contains all information of a Request and allows me to build a byte[] that I can pass on to IHttpRequestResponse.setResponse(). I'm definitely looking forward to a richer API from BurpSuite. Is there a way to suggest improvements?

PortSwigger Agent | Last updated: Dec 04, 2015 02:30PM UTC

You can make feature requests through this Support Center or via email, thanks.

PortSwigger Agent | Last updated: Feb 19, 2016 09:27AM UTC

There haven't been any changes at this time, sorry.

Burp User | Last updated: Apr 27, 2016 09:20PM UTC

Have there been any changes to the API to provide a simplified way to manipulate request headers? I'm currently building an extension where a setHeader method would be very useful.

Burp User | Last updated: Oct 25, 2016 10:25AM UTC

I would also like to refresh this feature request. It would be great to have a simple API, such as with the "IParameter" and "updateParameter()" to access and manipulate HTTP headers.

You need to Log in to post a reply. Or register here, for free.