PROFESSIONALCOMMUNITY

Inspector

  • Last updated: May 17, 2022

  • Read time: 7 Minutes

The Inspector is a collapsible panel displayed to the right of the message editor throughout Burp Suite. It provides the following key features:

  • Quickly view and edit interesting features of HTTP and WebSocket messages without having to switch between different tabs.

  • View the fully decoded values of parameters, cookies, or a substring that you've selected in the editor.

  • Add, remove, and reorder items at the click of a button rather than working with the raw HTTP syntax.

  • Edit data in its decoded form. The relevant sequence of encodings is automatically reapplied when updating the request.

  • Toggle the protocol used to send individual requests. Burp will automatically perform the necessary transformations to generate an equivalent request for the new protocol.

  • Work with HTTP headers and pseudo-headers without being tied to the message editor's HTTP/1-style syntax. This facilitates a number of advanced techniques for HTTP/2-specific testing.

Note that some of these features are only available for editable requests, such as in Burp Repeater or when working with an intercepted request in Burp Proxy.

Note

It is also possible to add tabs to the message editor which display the same information. You can enable these in the message editor settings.

Request attributes

The Request Attributes section displays the HTTP method, the path, and the protocol that was used to send the request or, for editable messages, the protocol that you want to use when you send the request.

When you change the protocol, Burp performs the necessary transformations to generate an equivalent request for the new protocol. This means you can easily upgrade and downgrade individual requests as needed.

Viewing HTTP message data in the Inspector

The Inspector displays all of the headers, parameters, and cookies from both the request and response as a series of name-value pairs. This makes it easier to see what you've got to work with. The items are grouped into collapsible categories based on their type. The number next to each category indicates how many items of this type were found.

Automatic decoding

The values shown in the Inspector are also automatically HTML, URL, and Base64-decoded so that you can view them in a more easily readable form without having to manually decode them first.

In the main Inspector view, you only see the final result of this decoding. You can also click the arrow to the right of each item to view it in more detail. Here, you can see each decoding step that the Inspector applied, and the resulting value at each stage.

You can also modify the sequence of decoding steps using the provided drop-down menus and use the plus and minus icons to manually add or remove more steps if necessary.

HTTP/2 headers and pseudo-headers

The Inspector displays HTTP/2 pseudo-headers as name-value pairs alongside any ordinary headers in the request. You can tell them apart because the name of each pseudo-header is prefixed with a colon.

This provides an alternative way of working with HTTP/2 requests that is completely decoupled from HTTP/1 syntax. This more closely resembles the underlying request that is sent to the server. It also enables you to test for a number of HTTP/2-specific vulnerabilities using injections that are not possible via the message editor.

For more detailed information, see the documentation on working with HTTP/2 in Burp.

Selecting a substring

You can highlight an arbitrary substring in the message editor to view this in the Inspector. When you begin selecting one or more characters, the Selection widget appears. Exactly what is shown here depends on your selection:

  • If you select an individual character, you can see its ASCII code point in either decimal or hexadecimal form.

  • If you select more than one character, your selection is displayed and automatically decoded just like when you look at the detailed view of parameters, cookies, and so on. The character count is also shown next to the category heading.

Note that the Selection widget also displays any non-printing characters, regardless of whether you've selected the option to show them in the message editor. If you highlight multiple lines, you'll see the \r\n characters at the end of each line, for example.

Modifying requests using the Inspector

When working with editable messages, such as in Burp Repeater, the Inspector provides several features to simplify the process of modifying the request. Working in the Inspector rather than directly in the editor makes it quicker to perform basic operations such as reordering headers. It also greatly simplifies the process of working with encoded data.

Adding new items to a request

To add a new item, such as an HTTP header, expand the relevant category in the Inspector panel, then click the Add button at the bottom of the list. Give the item a name and value, then click Add again. Notice that the message editor is updated to contain the new item.

Removing items from a request

To remove an item from the request, select the item, then click the Remove button at the bottom of the list. Alternatively, right-click on the item and select Remove item from the context menu.

Note that you can use both of these approaches to remove multiple items at the same time. To select multiple items, either click and drag the mouse or hold the Shift key while clicking each item.

Reordering items in a request

To reorder items in a request, select the item you want to move, then use the arrow buttons at the bottom of the list. This is much quicker than manually cutting and pasting the item in the message editor.

Editing the name or value of an item

To edit the name or value of an item, just double-click the entry in the main Inspector panel. You can then make whichever changes you want and press the Return key to apply the changes.

If the data that you edited was automatically decoded by the Inspector, the same sequence of encodings will be applied to your changes before they are injected into the request. This saves you a lot of time when working with encoded data.

Note

If you want to see the sequence of decoding steps that are being applied to your input, click the arrow to the right of the item to open the detailed view.

Injecting newlines

It is currently not possible to inject newlines from the main Inspector view. However, you can do this from the detailed view. Click the arrow to the right of the item that you want to edit to open the detailed view, then select the location in the Name or Value field where you want to inject the characters, Press the Shift + Return keys. The carriage return (CR) and line feed (LF) characters are injected into the entry field, represented by the \r\n icons.

This is essential for exploiting a number of HTTP/2-exclusive vulnerabilities that were discovered by James Kettle. For more details, check out his whitepaper on our research page.

PortSwigger Research

HTTP/2: The Sequel Is Always Worse

Injecting other non-printing characters

To inject any non-printing character in the Inspector, first add an arbitrary placeholder character in the appropriate location. Select this placeholder, then use the Inspector's Selection widget to change its code point to that of whichever character you want to inject. For example, setting the code point to 00 replaces the character with a null byte.

Note that you can also inject non-printing characters without needing to add a placeholder by switching to the message editor's Hex tab.

Copying items from the Inspector

You can copy one or more items from the Inspector panel to paste them elsewhere, such as into another request. You have the following options for doing this:

  • Select one or more items, then choose Copy item(s) from the context menu.

  • Select one or more items and use the Copy or Cut hotkeys on your keyboard.

  • Select a single item, then choose Copy name or Copy value from the context menu to copy the name or value only.

Note that in the case of encoded data, the original encoded value is copied to your clipboard rather than the decoded version that you see in the Inspector.

Configuring Inspector display settings

The buttons at the top of the Inspector panel enable you to adjust various display settings. You can:

  • Toggle whether the panel is docked to the left or right of the screen in the current location. Burp remembers your selection for each tool separately.

  • Expand or collapse all widgets simultaneously. Note that the expand button only expands widgets that contain data.

  • Configure default Inspector display settings that apply across all Burp Suite tools.

Configuring default display settings

Click the settings button to open the settings dialog, then select the Inspector settings section.

The Widgets section enables you to adjust how widgets are displayed within the Inspector by default. You can:

  • Select which widgets are shown on the Inspector panel, whether or not each widget is expanded by default, and whether the text inside the cells of that widget should be wrapped.

  • Re-order the list of widgets using the Up and Down buttons.

The Default position & display options section enables you to set the default layout for the Inspector panel. You can:

  • Set the panel's default position (either left or right).

  • Set the panel's display mode. By default, the Inspector is set to Auto-expand, which expands and collapses the panel depending on the available screen space. To keep the Inspector collapsed, select the Always collapsed radio button.

The settings on the Inspector settings dialog are global - they apply when using the Inspector across all Burp Suite tools.