R3tr0's blog

Don't do Bug hunting without knowing this - Use Custom Headers in Burp Suite

Retr0's photo
Retr0
·

2 min read

Ever wondered why you might get blacklisted while participating in a bug bounty program? Well, here's the deal: some platforms include specific instructions in the program's rules, like requiring users to add a custom header for each request or limiting the number of requests within a certain timeframe. But hey, we often skip those rules, right? Well, that's exactly why your requests might get blocked! So, take a moment to read the rules carefully unless you want to end up on the program’s blacklist. As a beginner in web application penetration testing, it’s essential to learn this. Just follow these simple steps, and you’ll be good to go!

Step 1: Add a Custom Header Using Match and Replace

  1. In Burp Suite, go to the Proxy tab and select the Options sub-tab.

  2. Scroll down to the Match and Replace section and click Add to create a new rule.

  3. Set up the rule:

    • Match: Leave blank to apply the custom header to all requests.

    • Replace: Enter the custom header you want to add, for example:

        X-My-Custom-Header: 12345

  4. Click OK to save the rule.

Step 2: Test Your Custom Header

  1. Start intercepting requests in Burp Suite.

  2. Go to Proxy > Intercept and check the intercepted HTTP requests.

  3. Verify that your custom header (e.g., X-My-Custom-Header: 12345) is included in the request headers.

Step 3: Use Custom Headers for Whitelisting or Access Bypass

  • Some web applications check for specific custom headers to allow access or authenticate users.

  • By adding these custom headers through Burp Suite, you can impersonate trusted users or bypass restrictions.

  • For example, some applications might grant access based on the presence of certain headers, or allow actions only if a specific header is included.

Step 4: Automate Header Injection

  • You can fine-tune which requests get the custom header by using regular expressions in the Match field.

  • If you need to add multiple headers, repeat the Match and Replace process for each one.

Using Burp Suite to inject custom headers can help you bypass restrictions, impersonate users, or automate testing for web applications. Now you can control what headers are sent with every request!

customheaderswebapplicationsecurityburpsuitetutorialwebtrafficmanipulationBurpsuite websecuritypenetration testingcybersecurityhttp requests #OWASP #ApplicationSecurity #WebSecurity #APIsecurity #SecureCoding #SecurityStandards #SecurityTools #SecurityTesting #CodeReview #TrainingMaterials #Conferences #Research #KnowledgeSharing #BestPractices #VulnerabilityManagementSecuritysecurity testing #WebTrafficSecureWebApps