Burp Suite User Forum

Login to post

Multiple Headers

Holger | Last updated: Apr 20, 2021 07:24AM UTC

Hi, for a bug bounty program, I need to add two X-Headers to all requests. The available extension seems to allow only one custom header to add. How can I add multiple header? Thanks and Regards Holger

Uthman, PortSwigger Agent | Last updated: Apr 20, 2021 08:14AM UTC

Hi Holger, Have you considered using the Match and Replace rules under Proxy > Options?

Uthman, PortSwigger Agent | Last updated: Apr 20, 2021 02:12PM UTC

Hi Holger, If you want to implement this as a session handling rule, you can use the Python code below: from burp import IBurpExtender from burp import ISessionHandlingAction from burp import IParameter class BurpExtender(IBurpExtender, ISessionHandlingAction): def registerExtenderCallbacks(self, callbacks): self._callbacks = callbacks self._helpers = callbacks.getHelpers() callbacks.setExtensionName("Insert Custom HTTP Header") callbacks.registerSessionHandlingAction(self) return def getActionName(self): return "Insert Custom HTTP Header" def performAction(self, currentRequest, macroItems): requestInfo = self._helpers.analyzeRequest(currentRequest) headers = requestInfo.getHeaders() msgBody = currentRequest.getRequest()[requestInfo.getBodyOffset():] headers.add('Test: 22') headers.add('Test: 123') message = self._helpers.buildHttpMessage(headers, msgBody) print self._helpers.bytesToString(message) currentRequest.setRequest(message) return Adapted from https://forum.portswigger.net/thread/registersessionhandlingaction-throwing-errors-8f1ba1f6 so credit to that user! You just need to add the source code into a .py file, load it into the Extender > Extensions tab, and then create a new session handling rule in Project options > Sessions. You will need the rule action to 'Invoke a Burp extension'. Please change the scope of the session handling rule as appropriate and ensure the headers reflect what you want to add to each request.

Farooq | Last updated: Jun 08, 2021 04:09PM UTC

Hi @Uthman, How do I invoke the Test: header value dynamically from a macro instead of hardcoded values? This is to manage my session handling rules. Any hint how to do that? Thanks!

Uthman, PortSwigger Agent | Last updated: Jun 09, 2021 06:50AM UTC

Farooq, Can you provide some more detail on what you are trying to do, please? Are you trying to retrieve a value from a response and enter it into the header value of a subsequent request?

Praveen | Last updated: Jun 29, 2021 02:16PM UTC

Hi @uthman, I have the same requirement. - Retrieve a bearer token using a macro if session is invalid. - replace the token in subsequent requests in 2 headers like : header1:{{bearer token}} header2:{{bearer token}} Thanks.

Uthman, PortSwigger Agent | Last updated: Jun 29, 2021 02:31PM UTC

Praveen, can you try using the 'Authentication Token Obtain and Replace' extension? - https://portswigger.net/bappstore/51327b097b354243b307b4ed87ba39eb Alternatively, you can try writing your own extension. You may find the resources below helpful: - https://portswigger.net/burp/extender - https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension - https://portswigger.net/burp/extender/api/

You need to Log in to post a reply. Or register here, for free.