How do I change a http header value for active scan with stored state file?
One of applications I am testing is using authorization header for authentication.
I stored the state and want to use it for active-scan next time.
Would you advise me how to change the authorization header value in stored request messages?
Thank you in advance.
There isn’t currently a trivial way to do this in Burp’s native functionality. We have a pending feature request to support automatic modification/addition of HTTP headers via session handling rules (similar to the way they work for parameters), which would work nicely for this task.
In the meantime, I can think of two workarounds:
1. Chain a second instance of Burp as upstream proxy from the first, and configure Proxy match/replace rules to add/rewrite the header.
2. Write a quick extension to register an IHttpListener, and modify each outgoing request as required.
I want to know how I can modify the header value and build the request with it again.
Please don't mind the previous request.
I successfully made the extension.
Unfortunately, no progress so far. However, you can use the Custom Parameter Handler extension in the BApp Store.