Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

How do I change a http header value for active scan with stored state file?

Pauline May 06, 2015 03:26PM UTC


One of applications I am testing is using authorization header for authentication.
I stored the state and want to use it for active-scan next time.
Would you advise me how to change the authorization header value in stored request messages?

Thank you in advance.

Dafydd Stuttard May 07, 2015 02:50PM UTC Support Center agent

There isn’t currently a trivial way to do this in Burp’s native functionality. We have a pending feature request to support automatic modification/addition of HTTP headers via session handling rules (similar to the way they work for parameters), which would work nicely for this task.

In the meantime, I can think of two workarounds:

1. Chain a second instance of Burp as upstream proxy from the first, and configure Proxy match/replace rules to add/rewrite the header.

2. Write a quick extension to register an IHttpListener, and modify each outgoing request as required.

Pauline May 13, 2015 04:04PM UTC
Can you advise as to the 2nd workaround?

I want to know how I can modify the header value and build the request with it again.


Pauline May 13, 2015 08:02PM UTC

Please don't mind the previous request.
I successfully made the extension.


Peter Dec 18, 2017 10:31PM UTC
Any progress on including this in the session handling rules? It was the first place where I looked for it and was surpised not finding it...

Paul Johnston Dec 19, 2017 08:43AM UTC Support Center agent

Hi Peter,

Unfortunately, no progress so far. However, you can use the Custom Parameter Handler extension in the BApp Store.

adrianbelen Feb 20, 2018 01:36AM UTC
try this

Post Your public answer

Your name
Your email address