Last updated: October 14, 2021
Read time: 4 Minutes
The text editor is used by the HTTP message editor for displaying the content of requests and responses, and is elsewhere within Burp for displaying any plain text. It provides a number of useful features to make it easier to read different kinds of text and help you to analyze the content.
When syntax colorizing is enabled, the editor also displays mouse-over popups showing the decoded values of syntax items where appropriate. For HTTP requests, the popups perform URL-decoding, and for responses they perform HTML-decoding.
In the "Pretty" view, supported text formats will automatically be prettified in the text editor. The editor currently supports pretty printing of the following formats:
This greatly improves the readability of data, markup, and code in HTTP messages by displaying them with standardized indentation and line breaks. In editable messages, such as in Burp Repeater, supported text formats will be dynamically prettified as you type wherever possible. Otherwise, the text will be prettified when you send the request.
By default, messages will be displayed in the "Pretty" view whenever Burp detects a supported format in the content. You can manually alternate between the prettified version and the raw content using the corresponding buttons in the message editor.
If you would prefer not to use pretty printing by default, you can disable this setting under "User options" > "Display" > "HTTP Message Display".
By default, non-printing characters in HTTP requests and responses are hidden. However, you can use the "\n" button to toggle whether these characters are rendered as small "lozenges" within the message. This is supported for any bytes with a hexadecimal code point lower than 20, which includes tabs, line feeds, carriage returns, and null bytes. Characters with code points from 7F to FF are also supported.
This feature is beneficial for many use cases, for example:
- Spotting subtle differences between byte values in responses
- Experimenting with HTTP request smuggling vulnerabilities
- Studying line endings to identify potential HTTP header injection vulnerabilities
- Observing how null-byte injections are handled by the server
Text editor hotkeys
The text editor supports hotkeys for various common actions. These can be configured in the hotkeys options, and the default hotkeys relevant to the text editor are as follows:
- Ctrl + A, select all
- Ctrl + X, cut selected text
- Ctrl + C, copy selected text
- Ctrl + V, paste
- Ctrl + S, find and highlight the selected text throughout the message
- Ctrl + Z, undo last edit
- Ctrl + Y, redo last undone edit
- Ctrl + U, URL-encode selected text (hold down Shift to decode)
- Ctrl + H, HTML-encode selected text (hold down Shift to decode)
- Ctrl + B, Base64-encode selected text (hold down Shift to decode)
- Ctrl + left, move to previous word
- Ctrl + right, move to next word
- Ctrl + up, move to previous paragraph
- Ctrl + down, move to next paragraph
- Ctrl + home, go to start of message
- Ctrl + end, go to end of message
- Ctrl + backspace, delete previous word
- Ctrl + del, delete next word
At the bottom of the text editor is a search bar that can be used to quickly find expressions within the displayed text. As you type into the search box, the editor will automatically highlight matching items in the text. The "<" and ">" buttons can be used to move the selection to the previous or next match. The "+" button displays the following options:
- Case sensitive - This specifies whether the search is case sensitive or insensitive.
- Regex - This specifies whether the search term is a regular expression or a literal string.
- Auto-scroll to match when text changes - This specifies whether the text editor should automatically scroll to the first highlighted match when new text is displayed. This is useful, for example, when stepping through items in the Proxy history looking for a particular expression in responses. If this option is selected, then when you select a new item, the display will automatically scroll to the first search match.
The default for these options is off. The defaults can be changed by going to User options / Misc and scrolling down to Message Search.
In addition to search highlights, some Burp tools apply their own highlights to requests and responses. For example, Burp Scanner highlights relevant parts of HTTP messages in its issue advisories. If you are not using the search function, you can use the "<" and ">" to move the selection between the tool-generated highlights.