PROFESSIONALCOMMUNITY

Inspector

  • Last updated: October 6, 2021

  • Read time: 5 Minutes

The Inspector is a collapsible panel displayed to the right of the message editor throughout Burp Suite. It provides a quick way to analyze and work with interesting features of HTTP and WebSocket messages without having to switch between different tabs. It also enables you to work with HTTP/2 messages without any normalization, so you can view and control exactly what gets sent to the server.

For HTTP messages, the Inspector initially contains a list of potentially interesting items found in the displayed messages. These are grouped into the following categories:

  • Request Attributes
  • Query Parameters
  • Body Parameters
  • Request Cookies
  • Request Headers
  • Response Headers

The number next to each category indicates how many items of this type were found. Expanding each category displays all of these items and their respective values. The value shown for parameters and cookies is automatically URL decoded. You can also drill down into individual items to perform some common operations on them.

For editable messages, such as in Burp Repeater, you can use the buttons at the bottom of each category to add, remove, and reorder items in the message. You can also edit the value of each item and apply your changes back to the main editor.

Request attributes

The Request Attributes section displays the protocol, method, and path of the request. In Burp Repeater or a request you've intercepted in Burp Proxy, you can also toggle which protocol you want to use to send the request. Burp performs the necessary transformations to generate an equivalent request in the correct format for the new protocol. This means you can easily upgrade and downgrade individual requests as needed.

For more detailed information, see our documentation on working with HTTP/2 in Burp.

HTTP/2 headers and pseudo-headers

For HTTP/2 messages, the Inspector also displays the pseudo-headers and a more accurate representation of the normal headers. This enables you to work with HTTP/2 requests in a way that's completely decoupled from the message editor's HTTP/1-style syntax and more closely resembles the request that will be sent to the server. Using this view, you can test for a number of HTTP/2-exclusive vulnerabilities using injections that are not possible in the message editor.

For more detailed information, see our documentation on working with HTTP/2 in Burp.

Using the context menu

Right click on one or more items in the Inspector to show the context menu. From here, you can copy selected items (the hotkey for Copy also works). If you are inspecting a request, you can also remove items (or use the Cut hotkey to copy and remove). You can also copy an item's name or value if you have selected a single item.

If you copy a value, the original value will be stored in the copy buffer, rather than any decoded version. Copying an item stores both the name and value of the item in the copy buffer, formatted as appropriate for that item.

Working with encoded data in the Inspector

Instead of sending values back and forth to Burp Decoder or manually decoding text selections using the context menu, you can access some of the same functionality directly in the Inspector.

Automatic decoding

The initial value shown in the Inspector is already URL decoded in most cases. However, there may still be additional layers of encoding that you need to remove. For example, query parameters might be both Base64 and URL encoded. If you drill down into any encoded item, the inspector will automatically apply the appropriate series of transformations to fully decode its value. This makes it much quicker and easier to work with encoded data. Currently, the inspector can handle HTML, URL, and Base64 encodings.

Each decoding step, and the resulting value, is displayed separately so that you can see exactly what is happening behind the scenes. You can also manually adjust the decoding used in each step and add extra decoding steps if necessary.

Decoding selected characters

In addition to decoding the values of headers, parameters, and cookies, you can also use the Inspector to decode any sequence of characters.

If you select two or more characters directly in an editable message, the "Selection" widget appears in the Inspector. This contains the selected text and the same smart and manual decoding features that are available when you drill down into an item. For non-editable messages, the selection widget appears only when you select a value containing one of the supported encodings.

Editing encoded data

The Inspector makes it much simpler to edit and manipulate encoded data in messages.

When you drill down into an item in the Inspector, the cursor is placed at the end of the decoded value ready for you to make any changes. As you type, your changes are automatically applied back through the displayed sequence of encodings. The resulting value after all of the encodings have been reapplied is shown at the top of the panel.

You can overwrite the value in the message with your new, fully encoded value by clicking "Apply changes" or pressing the enter key. As long as the appropriate sequence of decoding steps was used initially, this should be encoded in exactly the same way as the original value was.

This functionality is also available for encoded values that you manually select directly in the message editor.

Working with individual characters in the Inspector

When you select an individual character directly in the message editor, the "Selection" widget appears in the Inspector. However, this does not provide the decoding functionality that you see when you select multiple characters. Instead, you can use a drop-down menu to display either the hexadecimal or decimal code point for the character.

For editable messages, you can edit this code point and apply the changes to overwrite the selected character in the message.

Injecting non-printing characters

You can use the \n button in the message editor to toggle whether non-printing characters are displayed in the message. For various reasons, you might also want to inject additional non-printing characters. There are a couple of ways to do this using the Inspector:

  • When editing a value, you can insert a CRLF (\r\n) by pressing Shift + Enter.
  • If you select an individual character in an editable message, you can change the hexadecimal or decimal code point in the Inspector to replace the character with a non-printing one. For example, you might use the hex code 00 to inject a null byte (\0) in order to observe how this is handled by the target server.