The message editor is used throughout Burp for viewing and editing HTTP requests and responses, as well as WebSocket messages. In addition to displaying the messages themselves, the editor includes a large number of functions to help you quickly analyze the messages further, drive Burp's core workflow, and carry out other useful tasks.
The message editor primarily consists of the following panels:
For an introduction to the Inspector, refer to Getting started with the Inspector.
In the upper-right corner of the message editor, there are three icons for adjusting the layout based on how you prefer to work. You can choose from the following options:
At the top of each request or response is the message analysis toolbar. This provides different tabs that show alternative views of the message content and provide some additional features for performing common operations.
By default, the Pretty, Raw, Hex, and Render tabs are displayed, but you can remove or reorder the tabs, and add some extra ones from the settings menu.
In this tab, the text editor displays the full message in its raw form. The text editor includes various useful functions including syntax analysis, hotkeys, and text search. You can use the \n button to toggle whether non-printing characters are displayed
In some of Burp's tools, such as Burp Repeater, you can also make changes to requests directly in the text editor.
You can access a wide range of context-specific actions for both requests and responses either from the Actions menu or by right-clicking anywhere on the relevant message. By selecting one or more characters in a message, you can also work with specific values in the Inspector.
In this tab, you can access all of the same functionality as in the Raw tab. The key difference is that the text editor's pretty printing feature is enabled. This greatly improves the readability of data, markup, and code in HTTP messages by displaying them with standardized indentation and line breaks.
In editable messages, supported text formats will be dynamically prettified as you type wherever possible. Otherwise, the text will be prettified when you send the request.
This tab is only available if the message contains content in one of the supported formats.
This tab displays messages in raw form in a hexadecimal editor. It shows messages arranged into lines of 16 bytes, and displays the hex value of each byte. You can edit messages in the hex tab, and any values that you insert can be given as characters or in two-digit hexadecimal form, from 00 through FF.
Any selected bytes appear in the Inspector. You can edit individual bytes directly in the Inspector or by double-clicking values in the table. You can select rows of bytes by clicking the row number, and view the selection in the Inspector.
The hex tab is useful when you want to:
The context menu for this tab additionally has the following items:
This tab applies to HTTP responses containing HTML or image content. It attempts to render the contents of the message body in the form it would appear when displayed in a browser.
You can also choose to add the following tabs to the message editor:
These tabs provide an alternative way to work with items in HTTP messages.
To add tabs to the message editor, click the settings icon in the upper-right corner, above the Inspector panel, then select the Message editor options.
These tabs provide the same functionality as the widgets in the Inspector panel.
Please see the Inspector documentation for more details.
Some Burp extensions provide additional tabs for the message editor. You can access these views from the drop-down menu to the right of the toolbar.
If you haven't yet opened an extension-specific tab, the menu button will say Select extension.... Clicking this button displays a list of all the currently loaded extensions for which a message editor tab is available. Select one of the extensions to switch to its custom tab.
Once you have opened an extension-specific tab, the menu button displays the name of the extension. You can now alternate between this tab and the default tabs in the editor by clicking on the corresponding buttons. You can use the arrow on the right-hand side of the button to change which extension it displays.
The Actions menu provides quick access to the full range of context-specific actions that are available for the current request.
You can also do the following things with the message editor:
Instead of using the Inspector to edit code points for a character, some users may find it quicker to URL-encode a selection and edit the relevant hex codes in-line before decoding the selection back to its original form. This is particularly effective if you use the corresponding hotkeys.
The message editor displays a representation of HTTP/2 messages using HTTP/1 syntax, essentially showing you what the equivalent HTTP/1 request would look like. Whenever you make changes, Burp automatically converts these to their HTTP/2 equivalent behind the scenes and updates the underlying HTTP/2 request. In many cases, the protocol you're using is irrelevant, so for general testing purposes, this enables you to use the message editor with HTTP/2 as normal.
As this HTTP/1-style view is bound by the limitations of HTTP/1 syntax and requires some lightweight normalization to ensure that a valid HTTP/2 request is produced, it may not be suitable when testing for protocol-level issues that are exclusive to HTTP/2. In this case, we recommend using the Inspector to work with HTTP/2.
For more detailed information, please refer to the HTTP/2 documentation.
You can access a range of context-specific actions for a request or response by clicking the Actions button. Alternatively, you can right-click on the message and select an action from the context menu. The available actions depend on the message type. These are described below.
The menu may also include additional items that are specific to the tool in which the editor appears (for example, in Repeater, the context menu has options to paste a URL as a request, and add the current item to the site map).
You can send any message, or a selected portion of the message, to other Burp tools, to perform further attacks or analysis. The ability to send requests between tools forms the core of Burp's user-driven workflow.
You can use this to render the selected response in Burp's browser, to avoid the limitations of Burp's built-in HTML renderer. When you select this option, Burp gives you a unique URL that you can paste into Burp's browser, to render the response. The resulting browser request is served by Burp with the exact response that you selected (the request is not forwarded to the original web server), and yet the response is processed by the browser in the context of the originally requested URL. Hence, relative links within the response will be handled properly by the browser. As a result, the browser may make additional requests (for images, CSS, etc.) in the course of rendering the response - these will be handled by Burp in the usual way.
You can use this to re-issue the selected request in Burp's browser. The following sub-options are available:
This submenu contains various useful functions for carrying out engagement-related tasks:
For requests, you can automatically switch the request method between GET and POST, with all relevant request parameters suitably relocated within the request. This option can be used to quickly test the application's tolerance of parameter location, e.g. to bypass input filters or fine-tune a cross-site scripting attack.
For requests, you can switch the encoding of any message body between standard URL-encoded and multipart.
This function copies the full current URL to the clipboard.
This function copies to the clipboard a curl command that can be used to generate the current request.
This function allows you to select a file and copy the contents of the current message to the file. This is handy for binary content, when copying via the clipboard may cause problems. Copying operates on the selected text or, if nothing is selected, the whole message.
This function allows you to select a file and paste the contents of the file into the message. This is handy for binary content, when pasting via the clipboard may cause problems. Pasting replaces the selected text or, if nothing is selected, inserts at the cursor position.
This function lets you specify a file to save the selected request and response in XML format, including all relevant metadata such as response length, HTTP status code and MIME type.
This applies to the Raw view only. The submenu items enable you to perform quick encoding or decoding of the selected text in a variety of schemes. If the message is editable, then the conversion is performed in-place to the selected text. If the message is not editable, then the result of the conversion is shown in a dialog. The following types of conversion are available:
This applies to the Raw view only. If this option is turned on then characters like & and = will be automatically replaced with their URL-encoded equivalents as you type.