I think that the "Reveal hidden fields in HTML pages" option from WebScarab is better that the equivalent option in Burp Proxy "unhide hidden form fields". Therefore I ported the WebScarab code in charge of this to Burp Suite as a BurpExtender extension.

Sometime it can save time just unhiding hidden fields to see/modify them when testing a web application. Both Burp Proxy and Webscarab offer this options. However it seems that the "unhide hidden form fields" in Burp only reveals the fields values and not the fields names.

With the native "unhide hidden form fields" option with Burp Proxy, the revealed fields look like:


With the Burp Proxy extension I wrote (with WebScarab code) the name of the fields are displayed before the value:


This code was tested with Burp Suite professional 1.3.07 and the free version 1.3.03.

import java.net.URL;
import java.util.*;
import java.util.regex.*;
import java.io.*;

public class BurpExtender {
    public burp.IBurpExtenderCallbacks mCallbacks;
    public byte[] processProxyMessage(int messageReference, boolean messageIsRequest,
                  String remoteHost, int remotePort, boolean serviceIsHttps, String httpMethod,
                  String url, String resourceType, String statusCode, String responseContentType,
                  byte[] message, int[] interceptAction) {

    if (!messageIsRequest)
                URL uUrl = new URL(serviceIsHttps ? "HTTPS" : "HTTP", remoteHost, remotePort, url);
                // We are only looking at urls under scope with Burp (target tab) and also only text
                // based content-type In some case responseContentType is null, found this is the case
                // when Content-Lenght is 0 identified using mCallbacks.getHeaders()
                if (mCallbacks.isInScope(uUrl) && responseContentType != null
                     && responseContentType.contains("text"))
                    return revealHidden(message);
                    return message;
            catch (Exception e)
        return message;
    public void registerExtenderCallbacks(burp.IBurpExtenderCallbacks callbacks) {
        mCallbacks = callbacks;

    // Code from WebScarab (slightly modified)
    private byte[] revealHidden(byte[] content) {
        /* We split this pattern into two parts, one before "hidden" and one after
         * Then it is simple to concatenate part 1 + "text" + part 2 to get an
         * "unhidden" input tag
        Pattern inputPattern = Pattern.compile("(<input.+?type\\s*=\\s*[\"']{0,1})hidden([\"']{0,1}.+?>)", Pattern.CASE_INSENSITIVE);
        Matcher inputMatcher = inputPattern.matcher(new String(content));
        StringBuffer outbuf = new StringBuffer();
        boolean matchedOnce = false;
        /* matched hidden input parameter */
        while(inputMatcher.find()) {
            matchedOnce = true;
            String input = inputMatcher.group();
            String name = "noname";

            // extract hidden field name
            Pattern namePattern = Pattern.compile("name=[\"']{0,1}(\\w+)[\"']{0,1}", Pattern.CASE_INSENSITIVE);
            Matcher nameMatcher = namePattern.matcher(input);
            if (nameMatcher.find() && nameMatcher.groupCount() == 1){
                name = nameMatcher.group(1);

            // make hidden field a text field - there MUST be 2 groups
            // Note: this way we don't have to care about which quotes are being used
            input = inputMatcher.group(1) + "text" + inputMatcher.group(2);

            /* insert [hidden] <fieldname> before the field itself */
            inputMatcher.appendReplacement(outbuf, "<STRONG style=\"background-color: white;\"> [hidden field name =\"" + name + "\"]:</STRONG> "+ input + "<BR/>");
        return matchedOnce ? outbuf.toString().getBytes() : content;
} // end BurpExtender

You can download the extension as a jar file (attachement below). To use it, you need to launch Burp this way:

java -classpath burpreveal.jar:burpsuite_v1.3.03.jar burp.StartBurp

On Windows based platforms, use a semi-colon character instead of the colon as the classpath separator.

Only the websites that are defined in the proxy scope will see their fields revealed (Target->Scope).