Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Multiple Headers

Holger | Last updated: Apr 17, 2021 03:26PM UTC

Hi, I have the following request for a pen test: "To identify your traffic as being part of this program kindly add the following headers to your requests: X-SecurityTest-Platform: [bugbounty] X-SecurityTest-Ninja: [security researcher name] " The extension "Add Header" seems to have only the option to add one header, not two. Is there any other option?

AssistantX | Last updated: Apr 19, 2021 02:52PM UTC

Assuming you want the header added on all requests, you actually don't need an extension to do this. You can use Match and Replace in Proxy options. There is a default rule there that is disabled with the comment "Add spoofed CORS origin". This shows an example of how to add a request header. For each header you want to add on all requests do the follow: Proxy > Options > Match and Replace > Add button Type: Request header Match: <leave blank> Replace: X-SecurityTest-Platform: [bugbounty]

Hannah, PortSwigger Agent | Last updated: Apr 20, 2021 03:14PM UTC

As AssistantX has said, you can add additional headers in the proxy using the match and replace rules.

If you were wanting to use other tools in Burp, like the Scanner or Intruder, you could write a quick extension to add those headers into your requests - I would recommend basing it off of the "custom session token" example here.

I tested adding multiple headers in the "Add custom header" extension (by adding them on new lines in the hardcoded values area), but they didn't seem to be added correctly when viewed in Inspector.

AssistantX | Last updated: Apr 20, 2021 10:22PM UTC

You can use the Reshaper extension from the BApp Store if you need to add an header to requests from other Burp tools (includes Proxy as well). You just have to go into the Settings tab of Reshaper and select the checkbox for the Burp tool you want to add the headers to under "Capture Traffic From:".

Uthman, PortSwigger Agent | Last updated: Apr 21, 2021 07:28AM UTC

AssistantX's method is great, or if you are interested in writing your own extension then please use the method here: - https://forum.portswigger.net/thread/multiple-headers-9e49d8d25cdf99e1769

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.