Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Attack payloads in unquoted JSON attributes

EthicalEvil Aug 22, 2018 04:32PM UTC

I observed that burp scanner sends attack payloads in unquoted JSON attributes, which usually results in server side parsing errors. I repeated the attack request with quoted attribute and there were no parsing errors. Will it be a good idea to add quotes to unquoted attribute after inserting the payloads during active scan ? I am just spitballing, I may be wrong. Thank you !


Paul Johnston Aug 23, 2018 08:01AM UTC Support Center agent

Hi Apporv

Thanks for letting us know about this. I had noticed this as well. While in theory some server may responding to invalid JSON, I expect this is quite rare, so simply removing those probes (except perhaps in thorough mode) would make some sense.

There are a few other limitations with JSON support, for example we don’t attempt to inject payloads in any keys. This is an area we will revisit in future, although that it likely to be some time away.

Thanks again for reporting this behavior.


Post Your public answer

Your name
Your email address
Answer