PROFESSIONALCOMMUNITY

Burp Suite message editor

Last updated: July 20, 2021
Read time: 9 Minutes

The message editor is used throughout Burp for viewing and editing HTTP requests and responses, as well as WebSocket messages. In addition to displaying the messages themselves, the editor includes a large number of functions to help you quickly analyze the messages further, drive Burp's core workflow, and carry out other useful tasks.

The message editor primarily consists of the following panels:

The text editor, which displays the messages themselves
The collapsible message inspector tool, which provides quick access to key details of HTTP messages and WebSockets, and allows you to perform some basic operations without having to switch to different tabs.
Note: The "Inspector" panel effectively replaces the Hex, Params, and Headers tabs found in older versions of Burp Suite.

In the upper-right corner of the message editor, there are three icons for adjusting the layout based on how you prefer to work. You can choose from the following options:

Horizontal layout: The request and response are arranged side-by-side.
Vertical layout: The request and response are stacked one on top of the other.
Combined view: Either the request or response will fill the message editor pane. You can alternate between the two using the corresponding tabs.

At the top of each request or response, there is a toolbar that provides a range of features to help you analyze different types of messages. You can alternate between different views to control how the how the content of the messages is displayed, perform a variety of common operations, and incorporate custom extensions to help you analyze the messages further.

Raw view

In this view, the text editor displays the full message in its raw form. The text editor includes various useful functions including syntax analysis, hotkeys, and text search. You can use the "\n" button to toggle whether non-printing characters are displayed

In some of Burp's tools, such as Burp Repeater, you can also make changes to requests directly in the text editor.

You can access a wide range of context-specific actions for both requests and responses either from the "Actions" menu or by right-clicking anywhere on the relevant message. By selecting one or more characters in a message, you can also work with specific values in the inspector.

Pretty view

In this view, you can access all of the same functionality as in the "Raw" view. The key difference is that the text editor's pretty printing feature is enabled. This greatly improves the readability of data, markup, and code in HTTP messages by displaying them with standardized indentation and line breaks.

In editable messages, supported text formats will be dynamically prettified as you type wherever possible. Otherwise, the text will be prettified when you send the request.

Note: This view is only available if the message contains content in one of the supported formats.

Hex view

This view displays messages in raw form in a hexadecimal editor. It shows messages arranged into lines of 16 bytes, and displays the hex value of each byte. You can edit messages in the hex view, and any values that you insert can be given as characters or in two-digit hexadecimal form, from 00 through FF.

Any selected bytes appear in the message inspector. You can edit individual bytes directly in the inspector or by double-clicking values in the table. You can select rows of bytes by clicking the row number, and view the selection in the message inspector.

The hex view is useful when you want to:

View or edit the code point for individual characters.
View or insert non-printing characters.
Insert or delete individual bytes or strings.

The context menu for this view additionally has the following items:

Insert byte: This inserts a single new byte before the selected byte.
Insert bytes: This inserts the requested number of new bytes before the selected byte.
Insert string: This inserts the specified string before the selected byte.
Delete byte: This deletes the selected byte.
Delete selected bytes: This deletes the selected bytes.

Render view

This tab applies to HTTP responses containing HTML or image content. It attempts to render the contents of the message body in the form it would appear when displayed in a browser.

Extension-specific views

Some Burp extensions provide additional views for the message editor. You can access these views from the drop-down menu to the right of the toolbar.

If you haven't yet opened an extension-specific view, the menu button will say "Select extension...". Clicking this button displays a list of all the currently loaded extensions for which a message editor view is available. Select one of the extensions to switch to its custom view.

Once you have opened an extension-specific view, the menu button displays the name of the extension. You can now alternate between this view and the default views in the editor by clicking on the corresponding buttons. You can use the arrow on the right-hand side of the button to change which extension it displays.

The "Actions" menu provides quick access to the full range of context-specific actions that are available for the current request.

Other ways of using the message editor

You can also do the following things with the message editor:

You can toggle whether non-printing characters are displayed as lozenges directly in the normal HTTP message editor views. To do this, press the "\n" button in the message editor toolbar.
To view the code point for a character, select a character, either printing or non-printing, in the HTTP message. An entry will appear in the Inspector that indicates the decimal and hex code points for the character. In editable contexts, such as a request in Burp Repeater, you can edit this value to overwrite the selected character.
You can insert a non-printing character, such as a null byte, carriage return, or newline character, by editing the code point of an existing byte using the Inspector.
You can insert a CLRF by placing the cursor in the appropriate position in the request and press the Enter / Return key.
To insert a byte, place the cursor in the desired position in the request and enter an arbitrary placeholder character. Edit its code point accordingly using the Inspector.
To delete a byte, delete the corresponding character directly in the request. To delete non-printing characters, we recommend using the "\n" button to display them first.

Note: Instead of using the Inspector to edit code points for a character, some users may find it quicker to URL-encode a selection and edit the relevant hex codes in-line before decoding the selection back to its original form. This is particularly effective if you use the corresponding hotkeys.

Context-specific actions

You can access a range of context-specific actions for a request or response by clicking the "Actions" button. Alternatively, you can right-click on the message and select an action from the context menu. The available actions depend on the message type. These are described below.

Note: The menu may also include additional items that are specific to the tool in which the editor appears (for example, in Repeater, the context menu has options to paste a URL as a request, and add the current item to the site map).

Scan / send to ...

You can send any message, or a selected portion of the message, to other Burp tools, to perform further attacks or analysis. The ability to send requests between tools forms the core of Burp's user-driven workflow.

Show response in browser

You can use this to render the selected response in your browser, to avoid the limitations of Burp's built-in HTML renderer. When you select this option, Burp gives you a unique URL that you can paste into your browser (configured to use the current instance of Burp as its proxy), to render the response. The resulting browser request is served by Burp with the exact response that you selected (the request is not forwarded to the original web server), and yet the response is processed by the browser in the context of the originally requested URL. Hence, relative links within the response will be handled properly by your browser. As a result, your browser may make additional requests (for images, CSS, etc.) in the course of rendering the response - these will be handled by Burp in the usual way.

Request in browser

You can use this to re-issue the selected request in your browser (configured to use the current instance of Burp as its proxy). The following sub-options are available:

In original session - This causes Burp to issue the request using the exact Cookie header that appeared in the original request.
In current browser session - This causes Burp to issue the request using the cookies supplied by your browser. You can use this feature to facilitate testing of access controls, by selecting requests within Burp that were generated within one user context (e.g. an administrator), and reissuing the requests within a different user context that you are now logged in as (e.g. an ordinary user). When you are dealing with complex, multi-stage processes, this methodology, of manually pasting a series of URLs from Burp into your browser, is normally a lot easier than repeating a multi-stage process over and over, and modifying cookies manually using the Proxy.

Engagement tools

Professional This submenu contains various useful functions for carrying out engagement-related tasks:

Find references - You can use the Find references function to search all of Burp's tools for HTTP responses that link to the currently displayed item.
Discover content -You can use the Discover content function to discover content and functionality that is not linked from visible content which you can browse to or spider.
Schedule task - You can use the Schedule task function to create tasks that will run automatically at defined times and intervals.
Generate CSRF PoC - You can use the Generate CSRF PoC function to create some HTML which, when viewed in a browser, will cause the current request to be issued.

Change request method

For requests, you can automatically switch the request method between GET and POST, with all relevant request parameters suitably relocated within the request. This option can be used to quickly test the application's tolerance of parameter location, e.g. to bypass input filters or fine-tune a cross-site scripting attack.

Change body encoding

For requests, you can switch the encoding of any message body between standard URL-encoded and multipart.

Copy URL

This function copies the full current URL to the clipboard.

Copy as curl command

This function copies to the clipboard a curl command that can be used to generate the current request.

Copy to file

This function allows you to select a file and copy the contents of the current message to the file. This is handy for binary content, when copying via the clipboard may cause problems. Copying operates on the selected text or, if nothing is selected, the whole message.

Paste from file

This function allows you to select a file and paste the contents of the file into the message. This is handy for binary content, when pasting via the clipboard may cause problems. Pasting replaces the selected text or, if nothing is selected, inserts at the cursor position.

Save item

This function lets you specify a file to save the selected request and response in XML format, including all relevant metadata such as response length, HTTP status code and MIME type.

Convert selection

This applies to the Raw view only. The submenu items enable you to perform quick encoding or decoding of the selected text in a variety of schemes. If the message is editable, then the conversion is performed in-place to the selected text. If the message is not editable, then the result of the conversion is shown in a dialog. The following types of conversion are available:

URL - These options perform URL encoding or decoding. You can optionally encode just key HTTP metacharacters, or all characters, or all characters using 2-byte Unicode-encoding (e.g. %u0041 for A).
HTML - These options perform HTML encoding or decoding. You can optionally encode just key HTML metacharacters, or all characters, or all characters using numeric entities (e.g. A for A), or all characters using hex entities (e.g. A for A).
Base64 - These options perform Base64 encoding or decoding.
Construct string - These options generate code in various interpreted languages to dynamically construct the selected string. It can be useful for delivering certain attacks like SQL injection, where it is necessary to dynamically build a string to evade input filters. The available options are JavaScript, and SQL on the Microsoft, Oracle and MySQL platforms.

URL-encode as you type

This applies to the Raw view only. If this option is turned on then characters like & and = will be automatically replaced with their URL-encoded equivalents as you type.