Burp Suite User Forum

Create new post

Request Normalization

GuiDotPy | Last updated: Jan 06, 2024 11:59PM UTC

Hi, Recently, I was testing a site and tried to send the following request: GET / HTTP/2 X-Any-Header: site.com Host: site.com However, I faced some issues because I required this specific sequence, but Burp automatically normalized and changed the position of the Host header to: GET / HTTP/2 Host: site.com X-Any-Header: site.com A few months ago, I also had issues with this type of normalization. I was trying to send a request with the first character of the header in lowercase, but it was automatically normalized to uppercase. I tried to find a solution in the settings, but it seems there is no way to disable this feature. I also searched online but wasn't able to find a solution. So, if there truly isn't a solution, then adding an option to disable the normalization feature would be helpful.

Michelle, PortSwigger Agent | Last updated: Jan 08, 2024 03:39PM UTC

Thanks for getting in touch. When the request is sent as HTTP/2, it is altered to conform to the RFC, so the pseudo-header containing the host (:authority) is moved above the regular header field X-Any-Header. (https://httpwg.org/specs/rfc7540.html#HttpHeaders All pseudo-header fields MUST appear in the header block before regular header fields.) I hope this helps to explain things.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.