RequestRedactorX is a Burp Suite extension designed to safely extract, clean, and share HTTP requests without exposing sensitive data. It provides a fast and flexible way to copy sanitized requests during pentesting, reporting, or team communication.
The extension introduces four powerful copy modes, giving full control over how requests are redacted.
- Copy without headers
Generates a lightweight version of the request by removing all HTTP headers. - Copy with header censorship
Automatically censors sensitive headers (e.g., Authorization, Cookies, Tokens) based on a customizable list. - Copy with parameter masking
Masks sensitive parameters in:- URL query
- Body parameters (x-www-form-urlencoded)
- JSON bodies (recursive key-based sanitization)
- Copy with full sanitization (headers + parameters)
Produces a fully redacted request suitable for sending in tickets, Slack, or documentation without leaking secrets. - JSON body handling
Supports sanitizing nested JSON structures and formatting JSON bodies for improved readability (jq-style pretty-printing optional). - Dedicated UI panels to manage:
- Sensitive headers list
- Parameter names for redaction and masking
- Redact/mask placeholders
- JSON formatting toggle (Include JSON format copying)
- Clean, fast, minimal GUI
Optimized for efficient pentesting workflows, reporting, and secure sharing.
To use the extension, follow these steps:
- Install RequestRedactorX in Burp Suite.
- Open the extension panel and configure:
- The list of sensitive headers to censor and placeholders
- The parameter names that should be masked and placeholders
- Right-click any HTTP request inside Burp Suite (Proxy, Repeater, Intruder, etc.).
- Select one of the available copy options:
- Copy request (headers sanitized)
- Copy request (headers/params redacted)
- Copy request (headers/params masked)
- Copy request (sanitize + redact + mask)
- Paste the sanitized request wherever you need — reports, tickets, Slack, or documentation — without exposing sensitive data.
⸻
Example result
- Original request
POST /client/ HTTP/2 Host: localhost:32564 Cache-Control: max-age=0 Accept-Language: pl-PL,pl;q=0.9 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://localhost:32564/ Accept-Encoding: gzip, deflate, br Cookie: access_token=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IkhlbGxvVGhlcmUiLCJpc3MiOiJhZHZlbnR1cmVyIiwiZXhwIjoxNzY1NjMwMjQ3LjA1MTc1MDJ9.J8nxYMXkV2yfcl1rJuILxAxZdlkzNrCpdDLy6BKladbuAlqFlWGQXc8UJQ1brHjDlns1vRxr38N-mpKkeYgJbA Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IkhlbGxvVGhlcmUiLCJpc3MiOiJhZHZlbnR1cmVyIiwiZXhwIjoxNzY1NjMwMjQ3LjA1MTc1MDJ9.J8nxYMXkV2yfcl1rJuILxAxZdlkzNrCpdDLy6BKladbuAlqFlWGQXc8UJQ1brHjDlns1vRxr38N-mpKkeYgJbA Content-Type: application/x-www-form-urlencoded Content-Length: 27 username=test&password=test
- Redacted request
POST /client/ HTTP/2 Host: localhost:32564 Cache-Control: max-age=0 User-Agent: [...] Referer: http://localhost:32564/ Cookie: [...REDACTED...] Authorization: Bearer [...REDACTED...] Content-Type: application/x-www-form-urlencoded Content-Length: 27 username=[...]&password=[REDACTED]
⸻
🔒 Why RequestRedactorX?
During pentests, bug bounty work, and code reviews, security engineers frequently need to share request samples. Standard copy/paste often exposes tokens, session cookies, or PII. RequestRedactorX eliminates this risk, transforming real traffic into safe, sanitized artifacts — instantly.
🛠️ Ideal for
- Pentesters
- Bug bounty hunters
- Security engineers
- Developers and QA teams needing safe HTTP samples