Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Multiple Headers

Holger | Last updated: Apr 20, 2021 07:24AM UTC

Hi, for a bug bounty program, I need to add two X-Headers to all requests. The available extension seems to allow only one custom header to add. How can I add multiple header? Thanks and Regards Holger

Uthman, PortSwigger Agent | Last updated: Apr 20, 2021 08:14AM UTC

Hi Holger, Have you considered using the Match and Replace rules under Proxy > Options?

Uthman, PortSwigger Agent | Last updated: Apr 20, 2021 02:12PM UTC

Hi Holger, If you want to implement this as a session handling rule, you can use the Python code below: from burp import IBurpExtender from burp import ISessionHandlingAction from burp import IParameter class BurpExtender(IBurpExtender, ISessionHandlingAction): def registerExtenderCallbacks(self, callbacks): self._callbacks = callbacks self._helpers = callbacks.getHelpers() callbacks.setExtensionName("Insert Custom HTTP Header") callbacks.registerSessionHandlingAction(self) return def getActionName(self): return "Insert Custom HTTP Header" def performAction(self, currentRequest, macroItems): requestInfo = self._helpers.analyzeRequest(currentRequest) headers = requestInfo.getHeaders() msgBody = currentRequest.getRequest()[requestInfo.getBodyOffset():] headers.add('Test: 22') headers.add('Test: 123') message = self._helpers.buildHttpMessage(headers, msgBody) print self._helpers.bytesToString(message) currentRequest.setRequest(message) return Adapted from https://forum.portswigger.net/thread/registersessionhandlingaction-throwing-errors-8f1ba1f6 so credit to that user! You just need to add the source code into a .py file, load it into the Extender > Extensions tab, and then create a new session handling rule in Project options > Sessions. You will need the rule action to 'Invoke a Burp extension'. Please change the scope of the session handling rule as appropriate and ensure the headers reflect what you want to add to each request.

Farooq | Last updated: Jun 08, 2021 04:09PM UTC

Hi @Uthman, How do I invoke the Test: header value dynamically from a macro instead of hardcoded values? This is to manage my session handling rules. Any hint how to do that? Thanks!

Uthman, PortSwigger Agent | Last updated: Jun 09, 2021 06:50AM UTC

Farooq, Can you provide some more detail on what you are trying to do, please? Are you trying to retrieve a value from a response and enter it into the header value of a subsequent request?

Praveen | Last updated: Jun 29, 2021 02:16PM UTC

Hi @uthman, I have the same requirement. - Retrieve a bearer token using a macro if session is invalid. - replace the token in subsequent requests in 2 headers like : header1:{{bearer token}} header2:{{bearer token}} Thanks.

Uthman, PortSwigger Agent | Last updated: Jun 29, 2021 02:31PM UTC