CustomHeaderZ is a comprehensive Burp Suite extension that enhances your web testing capabilities by allowing you to inject, manage, and dynamically update HTTP headers with precision and flexibility.
Built on Burp Suite's modern Montoya API, this extension is the successor to the popular AddCustomHeader extension, offering advanced features for security professionals.
- Multiple Header Support: Unlike its predecessor, CustomHeaderZ lets you configure and manage multiple headers simultaneously
- Modern Architecture: Built on Burp Suite's latest Montoya API for improved performance and stability
- Session Token Handling: Perfect for handling JWT tokens, and other authentication/session mechanisms
- Intuitive Interface: Color-coded, easy-to-use UI that integrates seamlessly with Burp Suite
- Add up to 10 custom headers with independent enable/disable toggles
- Organize headers with color coding for visual distinction
- Easily edit, add, and remove headers through an intuitive interface
- Add permanent headers to every request without modifying your browser or proxy settings
- Configure once and apply consistently across all tools in Burp Suite
- Perfect for adding authorization tokens, API keys, or custom identifiers
- Automatically extract and update tokens from previous responses
- Support for both regex pattern extraction and simple string matching
- Integrates with Burp's session handling rules and macros
- Ideal for handling CSRF tokens, JWT refresh, and other dynamic authentication mechanisms
- Color-code different headers for quick visual identification
- Enable/disable individual headers without removing configuration
- At-a-glance view of your current header configuration
- Download the compiled JAR file
- In Burp Suite, go to Extender → Extensions → Add
- Select the downloaded JAR file
- The extension will load with a new Custom HeaderZ tab
- Clone the repository:
git clone https://github.com/falasi/CustomHeaderZ.git - Open the project in your Java IDE
- Build the project to generate the JAR file
- Load the JAR into Burp Suite as described above
- Navigate to the Custom HeaderZ tab in Burp Suite
- Use the master toggle to enable/disable the extension functionality
- Click Add Header to create a new header entry
- Configure your header:
- Header Name: The HTTP header name (e.g.,
Authorization,X-API-Key) - Header Value: The static value to use (for static headers)
- Enabled: Toggle to include/exclude this header in requests
- Dynamic: Check this box if the value should be extracted from responses
- Header Name: The HTTP header name (e.g.,
For headers with unchanging values (like API keys):
- Enter the header name and value
- Leave the Dynamic checkbox unchecked
- The value will be applied to all requests
For headers that need values extracted from responses (like tokens):
- Enter the header name
- Check the Dynamic checkbox
- Right-click the header row and select Set Extraction Pattern...
- Choose between:
- Regex Pattern: For precise extraction using capture groups
- Example:
Authorization:\s*Bearer\s+([A-Za-z0-9._-]+)
- Example:
- Simple String: For straightforward extraction
- Example:
"access_token":"
- Example:
- Regex Pattern: For precise extraction using capture groups
- Color-Coding: Right-click any header row to assign a color
- Reordering: Use the table to visually organize your headers
- Toggle Headers: Quickly enable/disable headers without removing them
For dynamic headers with values that need to be refreshed:
- Configure a dynamic header with an extraction pattern
- In Burp, go to Project options → Sessions
- Under Session Handling Rules, add a new rule
- In the rule details, add a new Run a macro action
- Configure the macro to target the authentication endpoint
- Add the CustomHeaderZ Extract Token action to the rule
- Apply the rule scope as needed
- Verify your macro produces responses containing the expected tokens
- Check your extraction pattern against the actual response content
- For regex patterns, ensure capture groups are correctly defined
- Enable Burp Suite's logging for detailed diagnostic information
- Confirm the master toggle is enabled in the CustomHeaderZ tab
- Check that individual headers are marked as enabled
- Verify the header isn't being overwritten by another extension
- Check the scope settings in your session handling rules
- Right-click on a header row to set its extraction pattern
- Use Burp's logger (in the Extender tab) to see CustomHeaderZ's output
- Test your regex patterns with a tool like regex101.com before using them
Contributions to enhance CustomHeaderZ are welcome! Feel free to:
- Report bugs by opening an issue
- Suggest new features or improvements
- Submit pull requests with bug fixes or enhancements