Attack payloads in unquoted JSON attributes
I observed that burp scanner sends attack payloads in unquoted JSON attributes, which usually results in server side parsing errors. I repeated the attack request with quoted attribute and there were no parsing errors. Will it be a good idea to add quotes to unquoted attribute after inserting the payloads during active scan ? I am just spitballing, I may be wrong. Thank you !
Thanks for letting us know about this. I had noticed this as well. While in theory some server may responding to invalid JSON, I expect this is quite rare, so simply removing those probes (except perhaps in thorough mode) would make some sense.
There are a few other limitations with JSON support, for example we don’t attempt to inject payloads in any keys. This is an area we will revisit in future, although that it likely to be some time away.
Thanks again for reporting this behavior.