BurpSuite – Update HTTP Header in Session Handling Rules

marko

Marko works as security professional since 2012 and performs assessments focused on web application security and code audits.

Latest posts by marko (see all)

Introduction

First, this post will not cover the basics of recoding macros or use of the session handling rules in BurpSuite. There are a lot of basic stuff to be found in the internet [1][2]. However, by default, Burp is unable to update or modify an http request HTTP header by using session handling rules and macros. This can cause in problems if you investigate REST APIs or applications which protects requests with one-time CSRF tokens. Further, the Portswigger community blog is not very useful to address this problem [4][5]. Continue reading “BurpSuite – Update HTTP Header in Session Handling Rules”