The message editor is used throughout Burp for viewing and editing HTTP requests and responses, and WebSocket messages. JavaScript, JSON, and CSS content is displayed using syntax colorizing, which is updated dynamically as you type. As well as displaying the raw messages themselves, the editor includes a large number of functions to help you quickly analyze the messages further, drive Burp's core workflow, and carry out other useful tasks.
The editor uses various tabs to display and analyze different types of messages. The tabs that are shown depend on the type and contents of the currently displayed message.
This tab displays the message in raw form in a text editor. The text editor includes various useful functions including syntax analysis, hotkeys, and text search. For certain formats, pretty printing is also supported. You even have the option to display non-printing characters.
This tab applies only to HTTP requests, and displays the request parameters in tabular form. If the message is editable, then you can edit each parameter's name and value directly in the table, and also change the parameter type. You can also add, move and reorder parameters.
Where applicable, parameter names and values are displayed in the table in their URL-decoded form, for easier viewing. When you double-click an item for editing, it will be shown in its original form. If, while editing, you enter any relevant metacharacters in their literal form (such as an ampersand or equals character), these will be automatically URL-encoded when you finish editing.
You can select a single cell and use Ctrl+C to copy its value. If you select multiple rows, then all the selected values are copied, with tab/newline delimiters, allowing you to easily paste the content into other software, such as a spreadsheet.
This tab applies to any HTTP message containing headers after the first line. It displays the header names and values in tabular form. If the message is editable, then you can edit each header's name and value directly in the table. You can also add, move and reorder headers.
If the message has a non-empty body, this will be displayed in the lower half of the headers tab, in its own text editor.
This tab displays the message in raw form in a hex editor. You can edit individual bytes directly by double-clicking values in the table. Values must be given in two-digit hexadecimal form, from 00 through FF.
The context menu for this tab additionally has the following items:
This tab applies to HTTP responses containing HTML content in the message body. The tab displays only the HTML (no headers), and shows this in a prettified form, with the content laid out and indented according to the HTML tag hierarchy. The main use of this tab is to make badly formatted HTML (as shown in the Raw tab) more easily readable.
This tab applies to HTTP responses containing XML content in the message body. The tab displays only the XML (no headers), and shows this in a prettified form, with the content laid out and indented according to the XML tag hierarchy. The main use of this tab is to make badly formatted XML (as shown in the Raw tab) more easily readable.
This tab applies to HTTP responses containing HTML or image content. It attempts to render the contents of the message body in the form it would appear when displayed in a browser.
This tab applies to HTTP messages containing an ASP.NET ViewState (either as a parameter in requests, or as a form field in responses). The contents of the ViewState are unpacked and displayed in a tree structure (unless the ViewState is encrypted). The raw data itself is shown in a panel below the tree (in a text editor for ViewState v1.0 and in a hex editor for v2.0).
If the message is editable, then you can edit the raw data in the lower panel to modify the ViewState. (The tree itself is not editable.) When you have finished editing the raw data, if you select another tab in the message editor, and then re-select the ViewState tab, then the tree will be redrawn with your updated content. Note that if the ViewState is MAC-enabled, then editing it is unlikely to achieve anything, because the server-side platform will reject the modified data.
Right-clicking on the message editor produces a context menu that can be used to perform various actions, depending on the message type. These are described below.
Note: The context menu may also include additional items that are specific to the tool in which the editor appears (for example, in Repeater, the context menu has options to paste a URL as a request, and add the current item to the site map).
You can send any message, or a selected portion of the message, to other Burp tools, to perform further attacks or analysis. The ability to send requests between tools forms the core of Burp's user-driven workflow.
You can use this to render the selected response in your browser, to avoid the limitations of Burp's built-in HTML renderer. When you select this option, Burp gives you a unique URL that you can paste into your browser (configured to use the current instance of Burp as its proxy), to render the response. The resulting browser request is served by Burp with the exact response that you selected (the request is not forwarded to the original web server), and yet the response is processed by the browser in the context of the originally requested URL. Hence, relative links within the response will be handled properly by your browser. As a result, your browser may make additional requests (for images, CSS, etc.) in the course of rendering the response - these will be handled by Burp in the usual way.
You can use this to re-issue the selected request in your browser (configured to use the current instance of Burp as its proxy). The following sub-options are available:
This submenu contains various useful functions for carrying out engagement-related tasks:
For requests, you can automatically switch the request method between GET and POST, with all relevant request parameters suitably relocated within the request. This option can be used to quickly test the application's tolerance of parameter location, e.g. to bypass input filters or fine-tune a cross-site scripting attack.
For requests, you can switch the encoding of any message body between standard URL-encoded and multipart.
This function copies the full current URL to the clipboard.
This function copies to the clipboard a curl command that can be used to generate the current request.
This function allows you to select a file and copy the contents of the current message to the file. This is handy for binary content, when copying via the clipboard may cause problems. Copying operates on the selected text or, if nothing is selected, the whole message.
This function allows you to select a file and paste the contents of the file into the message. This is handy for binary content, when pasting via the clipboard may cause problems. Pasting replaces the selected text or, if nothing is selected, inserts at the cursor position.
This function lets you specify a file to save the selected request and response in XML format, including all relevant metadata such as response length, HTTP status code and MIME type.
This applies to the Raw tab only. The submenu items enable you to perform quick encoding or decoding of the selected text in a variety of schemes. If the message is editable, then the conversion is performed in-place to the selected text. If the message is not editable, then the result of the conversion is shown in a dialog. The following types of conversion are available:
This applies to the Raw tab only. If this option is turned on then characters like & and = will be automatically replaced with their URL-encoded equivalents as you type.