Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

How do I change a http header value for active scan with stored state file?

Pauline May 06, 2015 03:26PM UTC


One of applications I am testing is using authorization header for authentication.
I stored the state and want to use it for active-scan next time.
Would you advise me how to change the authorization header value in stored request messages?

Thank you in advance.

Dafydd Stuttard May 07, 2015 02:50PM UTC Support Center agent

There isn’t currently a trivial way to do this in Burp’s native functionality. We have a pending feature request to support automatic modification/addition of HTTP headers via session handling rules (similar to the way they work for parameters), which would work nicely for this task.

In the meantime, I can think of two workarounds:

1. Chain a second instance of Burp as upstream proxy from the first, and configure Proxy match/replace rules to add/rewrite the header.

2. Write a quick extension to register an IHttpListener, and modify each outgoing request as required.

Pauline May 13, 2015 04:04PM UTC
Can you advise as to the 2nd workaround?

I want to know how I can modify the header value and build the request with it again.


Pauline May 13, 2015 08:02PM UTC

Please don't mind the previous request.
I successfully made the extension.


Peter Dec 18, 2017 10:31PM UTC
Any progress on including this in the session handling rules? It was the first place where I looked for it and was surpised not finding it...

Paul Johnston Dec 19, 2017 08:43AM UTC Support Center agent

Hi Peter,

Unfortunately, no progress so far. However, you can use the Custom Parameter Handler extension in the BApp Store.

adrianbelen Feb 20, 2018 01:36AM UTC
try this

Post Your public answer

Your name
Your email address