Message Editor
The message editor is used throughout Burp for viewing and editing
HTTP requests and responses, and WebSockets messages. As well as displaying the raw messages
themselves, the editor includes a large number of functions to help you
quickly analyze the messages further, drive Burp's core
workflow, and
carry out other useful tasks.
Message Analysis Tabs
The editor uses various tabs to display and analyze different types of
messages. The tabs that are shown depend on the type and contents of
the currently displayed message.
Raw
This tab displays the message in raw form in a
text editor. The
text editor includes various useful functions including
syntax
analysis,
hotkeys
and text
search.
Params
This tab applies only to HTTP requests, and displays the request parameters in
tabular form. If the message is editable, then you can edit each parameter's
name and value directly in the table, and also change the parameter type.
You can also add, move and reorder parameters.
Where applicable, parameter names and values are displayed in the table
in their URL-decoded form, for easier viewing. When you double-click an item
for editing, it will be shown in its original form. If, while editing, you
enter any relevant metacharacters in their literal form (such as an
ampersand or equals character), these will be automatically URL-encoded when
you finish editing.
You can select a single cell and use Ctrl+C to copy its value. If you
select multiple rows, then all the selected values are copied, with
tab/newline delimiters, allowing you to easily paste the content into other
software, such as a spreadsheet.
Headers
This tab applies to any HTTP message containing headers after the first line.
It displays the header names and values in tabular form. If the message is
editable, then you can edit each header's name and value directly in the
table. You can also add, move and reorder headers.
If the message has a non-empty body, this will be displayed in the lower
half of the headers tab, in its own
text editor.
Hex
This tab displays the message in raw form in a hex editor. You can edit
individual bytes directly by double-clicking values in the table. Values
must be given in two-digit hexadecimal form, from 00 through FF.
The context menu for this tab additionally has the following items:
- Insert byte - This inserts a single new byte before
the selected byte.
- Insert bytes - This inserts the requested number of
new bytes before the selected byte.
- Insert string - This inserts the specified string
before the selected byte.
- Delete byte - This deletes the selected byte.
- Delete bytes - This deletes the requested number of
bytes starting at the selected byte.
HTML
This tab applies to HTTP responses containing HTML content in the message
body. The tab displays only the HTML (no headers), and shows this in a
prettified form, with the content laid out and indented according to the
HTML tag hierarchy. The main use of this tab is to make badly formatted HTML
(as shown in the Raw tab) more easily readable.
XML
This tab applies to HTTP responses containing XML content in the message body.
The tab displays only the XML (no headers), and shows this in a prettified
form, with the content laid out and indented according to the XML tag
hierarchy. The main use of this tab is to make badly formatted XML (as shown
in the Raw tab) more easily readable.
Render
This tab applies to HTTP responses containing HTML or image content. It
attempts to render the contents of the message body in the form it would
appear when displayed in a browser.
ViewState
This tab applies to HTTP messages containing an ASP.NET ViewState (either as a
parameter in requests, or as a form field in responses). The contents of the
ViewState are unpacked and displayed in a tree structure (unless the
ViewState is encrypted). The raw data itself is shown in a panel below the
tree (in a text editor for ViewState v1.0 and in a hex editor for v2.0).
If the message is editable, then you can edit the raw data in the lower
panel to modify the ViewState. (The tree itself is not editable.) When you
have finished editing the raw data, if you select another tab in the message
editor, and then re-select the ViewState tab, then the tree will be redrawn
with your updated content. Note that if the ViewState is MAC-enabled, then
editing it is unlikely to achieve anything, because the server-side platform
will reject the modified data.
AMF
This tab applies to HTTP messages with a message body containing a Flash
message in Action Message Format (AMF). The contents of the message are
unpacked and displayed in a tree structure. There are columns showing the
data type and value for each item in the tree. If the message is editable,
you can modify literal data values by double-clicking them.
Context Menu Commands
Right-clicking on the message editor produces a context menu that can be
used to perform various actions, depending on the message type:
- Scan / send to ... - You can send any message, or a selected portion
of the message, to other Burp tools, to perform further attacks
or analysis. The ability to send requests between tools forms the core
of Burp's user-driven workflow.
- Show response in browser - You can use this to render
the selected response in your browser, to avoid the limitations of Burp's
built-in HTML renderer. When you select this option, Burp gives you a unique
URL that you can paste into your browser (configured to use the current
instance of Burp as its proxy), to render the response. The resulting browser
request is served by Burp with the exact response that you selected (the
request is not forwarded to the original web server), and yet the response
is processed by the browser in the context of the originally requested URL.
Hence, relative links within the response will be handled properly by your
browser. As a result, your browser may make additional requests (for images,
CSS, etc.) in the course of rendering the response - these will be handled
by Burp in the usual way.
- Request in browser - You can use this to re-issue the
selected request in your browser (configured to use the current instance
of Burp as its proxy). The following sub-options are available:
- In original session - This causes Burp to issue
the request using the exact Cookie header that appeared in the
original request.
- In current browser session - This causes Burp
to issue the request using the cookies supplied by your browser. You
can use this feature to facilitate testing of access controls, by
selecting requests within Burp that were generated within one user
context (e.g. an administrator), and reissuing the requests within a
different user context that you are now logged in as (e.g. an
ordinary user). When you are dealing with complex, multi-stage
processes, this methodology, of manually pasting a series of URLs
from Burp into your browser, is normally a lot easier than repeating
a multi-stage process over and over, and modifying cookies manually
using the Proxy.
- Engagement tools - [Pro
version] This submenu contains various useful functions for
carrying out engagement-related tasks:
- Find references - [Pro
version] You can use
the Find references function
to search all of Burp's tools for HTTP responses that link to the
currently displayed item.
- Discover content - [Pro
version] You can use
the Discover content function
to discover content and functionality that is not linked from visible content
which you can browse to or spider.
- Schedule task - [Pro
version] You can use
the Schedule task function to
create tasks that will run automatically at defined times and intervals.
- Generate CSRF PoC - [Pro
version] You can use the Generate CSRF PoC function to create some HTML which, when viewed
in a browser, will cause the current request to be issued.
- Change request method - For requests, you can automatically
switch the request method between GET and POST, with all relevant request
parameters suitably relocated within the request. This option can be used
to quickly test the application's tolerance of parameter location,
e.g. to bypass input filters or fine-tune a cross-site scripting attack.
- Change body encoding - For requests, you can switch
the encoding of any message body between standard URL-encoded
and multipart.
- Copy URL - This function copies the full current URL
to the clipboard.
- Copy as curl command - This function copies to the
clipboard a curl command that can be used to generate the current
request.
- Copy to file - This function allows you to select a
file and copy the contents of the current message to the file. This is handy for
binary content, when copying via the clipboard may cause problems. Copying
operates on the selected text or, if nothing is selected, the whole message.
- Paste from file - This function allows you to select
a file and paste the contents of the file into the message. This is handy
for binary content, when pasting via the clipboard may cause problems. Pasting
replaces the selected text or, if nothing is selected, inserts at the cursor
position.
- Save item - This function lets you specify a file to
save the selected request and response in XML format, including all relevant
metadata such as response length, HTTP status code and MIME type.
- Convert selection - This applies to the
Raw tab only. The submenu items enable you to perform
quick encoding or decoding of the selected text in a variety of schemes.
If the message is editable, then the conversion is performed in-place to
the selected text. If the message is not editable, then the result of
the conversion is shown in a dialog. The following types of conversion
are available:
- URL - These options perform URL encoding or
decoding. You can optionally encode just key HTTP metacharacters, or
all characters, or all characters using 2-byte Unicode-encoding
(e.g. %u0041 for A).
- HTML - These options perform HTML encoding or
decoding. You can optionally encode just key HTML metacharacters, or
all characters, or all characters using numeric entities (e.g. A
for A), or all characters using hex entities (e.g. A for A).
- Base64 - These options perform Base64 encoding
or decoding.
- Construct string - These options generate code
in various interpreted languages to dynamically construct the
selected string. It can be useful for delivering certain attacks
like SQL injection, where it is necessary to dynamically build a
string to evade input filters. The available options are JavaScript,
and SQL on the Microsoft, Oracle and MySQL platforms.
- URL-encode as you type - This applies to the
Raw tab only. If this option is turned on
then characters like & and = will be automatically replaced with their
URL-encoded equivalents as you type.
The context menu may also include additional items that are specific to
the tool in which the editor appears (for example, in
Repeater, the context menu has options to paste
a URL as a request, and add the current item to the site map).