Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Enterprise Edition scan with custom header and plugin support

Allen | Last updated: May 15, 2019 07:27PM UTC

Two questions 1. Can you specify a custom header on a Burp Enterprise scan? I need to supply a JWT in an authorization header before the app will even really respond and there is no direct login mechanism as it is a microservice. 2. Does Burp Enterprise have a way to use Burp professional plugins?

Rose, PortSwigger Agent | Last updated: May 16, 2019 07:34AM UTC

Currently this is not possible in Burp Enterprise. There is a ticket in our backlog to allow Burp Pro extensions to be used in Burp Enterprise. We've registered your interest in this. This should allow you to use the "Add Custom Header" extension. Unfortunately we can't tell you when this functionality will be available. We'll update you when it has been released.

Burp User | Last updated: May 16, 2019 04:16PM UTC

Add me to the list, too. It looks like Enterprise Edition has a way to upload custom configuration files. Can we upload a JSON config file which has some "Session Rules" which insert the Authorization HTTP Header for JWT?

Liam, PortSwigger Agent | Last updated: May 17, 2019 02:49PM UTC

Thanks for the feedback Kevin. You can upload configuration file to Burp Enterprise. However, the only session handling rule that will currently work with Burp's crawl and scan is "Set a specific cookie or parameter value". - https://support.portswigger.net/customer/portal/articles/2973443-using-burp-suite-enterprise-creating-a-custom-scan-configuration Please let us know if you need any further assistance.

Burp User | Last updated: May 20, 2019 08:30PM UTC

When will this be supported in EE? For JWT authorization this is a non-starter. Thanks!

Liam, PortSwigger Agent | Last updated: May 21, 2019 08:03AM UTC

We do have plans to support this feature. Unfortunately, we can't provide an ETA.

Ben, PortSwigger Agent | Last updated: May 30, 2019 07:15AM UTC

Hi, This functionality is still in our development backlog. We will update this thread when we have any further updates for this.

Burp User | Last updated: Jan 28, 2020 07:03AM UTC

It's been six months. Any news?

Berg, | Last updated: Feb 27, 2020 04:57PM UTC

Are we still not able to create a session handling rule that inserts an authorization header? ...

Berg, | Last updated: Feb 27, 2020 04:57PM UTC

Are we still not able to create a session handling rule that inserts an authorization header? ...

Nicolas | Last updated: Feb 27, 2020 08:07PM UTC

any news on this?

Michelle, PortSwigger Agent | Last updated: Feb 28, 2020 08:42AM UTC

This is still in our backlog, it hasn't been forgotten about. We can't give an ETA just yet, but this thread is linked so we will update this thread when we have any further updates.

jpatinob | Last updated: Jun 10, 2020 04:13PM UTC

Any news on this?

Michelle, PortSwigger Agent | Last updated: Jun 11, 2020 09:50AM UTC

I'm afraid I can't make any promises on timescales just yet but we are keeping track of everyone who is interested in using extensions from the BApp Store with Enterprise. We'll put an update on this thread when there's some news.

Mykhailo | Last updated: Dec 07, 2020 03:39PM UTC

I also looking for ability to add/customise HEADERs in BurpSuite Enterprise. Was really surprised, that it's not possible from the box (by default), it's really needed functionality and now I should this would we use/buy it or not!? Current solution what I found for myself at the time - using upstream proxy with "Match and Replace" functionality. but it required more resources/performance, and for automation it's also required additional manual work, but it's working for me now.

Michelle, PortSwigger Agent | Last updated: Dec 08, 2020 09:48AM UTC

The ability to use Burp extensions within Enterprise is part of our official roadmap for next year https://portswigger.net/burp/enterprise/roadmap

Moshe | Last updated: Mar 11, 2021 05:59PM UTC

Any updates/ETA on the ability to add custom/authorization headers for EE scans? This is a major blocker of usability in API's and modern web apps, rendering the 'recorded login' and OpenAPI parser pretty useless (unless it's unauthenticated/basic auth scans).

Moshe | Last updated: Mar 11, 2021 05:59PM UTC

Any updates/ETA on the ability to add custom/authorization headers for EE scans? This is a major blocker of usability in API's and modern web apps, rendering the 'recorded login' and OpenAPI parser pretty useless (unless it's unauthenticated/basic auth scans).

Michelle, PortSwigger Agent | Last updated: Mar 12, 2021 10:18AM UTC

Thanks for your message. I'm afraid we don't have an ETA just yet for the release, but we are working towards allowing extensions to be used in Enterprise. https://portswigger.net/blog/burp-suite-roadmap-for-2021

D | Last updated: Aug 30, 2021 01:30PM UTC

Hello, do you have any estimation of when you will support all extensions, not only 10 selected? Because none of them solving the mentioned problem with custom header. https://portswigger.net/blog/burp-extensions-added-to-burp-suite-enterprise-edition

Michelle, PortSwigger Agent | Last updated: Aug 31, 2021 11:51AM UTC

In this initial release, as well as the 10 extensions listed in the article, you can also create your own extensions. If you're looking to add custom headers to a scan, the Java version of this one would be compatible with Enterprise: https://github.com/UthmanPortSwigger/add-custom-headers You might want to test it out in Burp Suite Professional first so you can see more detail on how it affects the requests and then move to use it in Burp Suite Enterprise. I hope this helps! Please let us know if you have any questions.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.