Skip to content

Fix NullPointerException when Host header is lowercase#123

Open
63n0 wants to merge 1 commit into
PortSwigger:masterfrom
63n0:master
Open

Fix NullPointerException when Host header is lowercase#123
63n0 wants to merge 1 commit into
PortSwigger:masterfrom
63n0:master

Conversation

@63n0

@63n0 63n0 commented Jun 8, 2026

Copy link
Copy Markdown

Summary

Param Miner currently only recognizes the Host header when it is written as Host: .

When running Guess Headers against an HTTP/1.1 request that uses a lowercase host header, the host value is not extracted correctly, which later results in a NullPointerException.

This change makes the Host header lookup case-insensitive so that requests using host: are handled correctly.

Reproduction

Run Guess Headers against the following request:

GET / HTTP/1.1
host: localhost

The extension throws the following exception:

java.lang.NullPointerException: Cannot invoke "java.lang.CharSequence.toString()" because "replacement" is null
	at java.base/java.lang.String.replace(String.java:3151)
	at burp.ParamNameInsertionPoint.getValue(BurpExtender.java:341)
    ...

Root Cause

The code only checks for headers beginning with Host: :

if (header.startsWith("Host: ")) {

HTTP header field names are case-insensitive, so requests using host: are not recognized. As a result, the host variable remains unset and a NullPointerException occurs later during header guessing.

Fix

Perform a case-insensitive match when extracting the Host header value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@63n0