The message inspector is a collapsible panel displayed to the right of the message editor throughout Burp Suite. It provides a quick way to analyze and work with interesting features of HTTP and WebSocket messages without having to switch between different tabs. You can horizontally resize both the inspector panel and columns within the panel. You can also select multiple items at once within the inspector.
For HTTP messages, the inspector panel initially contains a list of potentially interesting items found in the displayed messages. These are grouped into the following categories:
- Query parameters
- Body parameters
- Request cookies
- Request headers
- Response headers
The number next to each category indicates how many items of this type were found. Expanding each category displays all of these items and their respective values. The value shown for parameters and cookies is automatically URL decoded. You can also drill down into individual items to perform some common operations on them.
For editable messages, such as in Burp Repeater, you can use the buttons at the bottom of each category to add, remove, and reorder items in the message. You can also edit the value of each item and apply your changes back to the main editor.
Using the context menu
Right click on one or more items in the inspector to show the context menu. From here, you can copy selected items (the hotkey for Copy also works). If you are inspecting a request, you can also remove items (or use the Cut hotkey to copy and remove). You can also copy an item's name or value if you have selected a single item.
If you copy a value, the original value will be stored in the copy buffer, rather than any decoded version. Copying an item stores both the name and value of the item in the copy buffer, formatted as appropriate for that item.
Working with encoded data in the inspector
Instead of sending values back and forth to Burp Decoder or manually decoding text selections using the context menu, you can access some of the same functionality directly in the inspector.
The initial value shown in the inspector is already URL decoded in most cases. However, there may still be additional layers of encoding that you need to remove. For example, query parameters might be both Base64 and URL encoded. If you drill down into any encoded item, the inspector will automatically apply the appropriate series of transformations to fully decode its value. This makes it much quicker and easier to work with encoded data. Currently, the inspector can handle HTML, URL, and Base64 encodings.
Each decoding step, and the resulting value, is displayed separately so that you can see exactly what is happening behind the scenes. You can also manually adjust the decoding used in each step and add extra decoding steps if necessary.
Decoding selected characters
In addition to decoding the values of headers, parameters, and cookies, you can also use the inspector to decode any sequence of characters.
If you select two or more characters directly in an editable message, the "Selection" widget appears in the inspector. This contains the selected text and the same smart and manual decoding features that are available when you drill down into an item. For non-editable messages, the selection widget appears only when you select a value containing one of the supported encodings.
Editing encoded data
The inspector makes it much simpler to edit and manipulate encoded data in messages.
When you drill down into an item in the inspector, the cursor is placed at the end of the decoded value ready for you to make any changes. As you type, your changes are automatically applied back through the displayed sequence of encodings. The resulting value after all of the encodings have been reapplied is shown at the top of the panel.
You can overwrite the value in the message with your new, fully encoded value by clicking "Apply changes" or pressing the enter key. As long as the appropriate sequence of decoding steps was used initially, this should be encoded in exactly the same way as the original value was.
This functionality is also available for encoded values that you manually select directly in the message editor.
Working with individual characters in the inspector
When you select an individual character directly in the message editor, the "Selection" widget appears in the inspector. However, this does not provide the decoding functionality that you see when you select multiple characters. Instead, you can use a drop-down menu to display either the hexadecimal or decimal code point for the character.
For editable messages, you can edit this code point and apply the changes to overwrite the selected character in the message.
Injecting non-printing characters
You can use the
\n button in the message editor to toggle whether non-printing characters are displayed in the message. For various reasons, you might also want to inject additional non-printing characters. There are a couple of ways to do this using the inspector:
When editing a value, you can insert a CRLF (
\r\n) by pressing
Shift + Enter.
If you select an individual character in an editable message, you can change the hexadecimal or decimal code point in the inspector to replace the character with a non-printing one. For example, you might use the hex code
00to inject a null byte (
\0) in order to observe how this is handled by the target server.