Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Ignores JSON parameters after {}

Masahiro Izuka Apr 23, 2019 06:13AM UTC

Dear,

I found that the string {} in JSON of a request body, meaning an empty object, makes following parameters not recognized as the ones. The version is Burp Suite Professional v1.7.37.

For example, I have a POST request with the following body in Intruder:

{
param_a: "val_a",
param_b: {
param_b_1: 10,
param_b_2: true
},
param_c: {},
param_d: 80,
param_e: [1, 2, 3, 4]
}

Pushing "Auto §" button, I see the values of parameters d and e are not marked as payload positions although the others are successful.

On the other hand, if the chars {} are not continuous such as "{ }" with a space, the all parameters are recognized as expected.

Scanner seems to behave as same, as I found in the session tracer.

This may let us skip scanning target parameters unconsciously. I wish this is fixed.

Regards


Liam Tai-Hogan Apr 26, 2019 02:05PM UTC Support Center agent

Thanks for this report. We’ll investigate this issue and get back to you when we’ve made some progress.


Rose Krawczuk May 07, 2019 08:13AM UTC Support Center agent

This issue should be fixed in the next release of Burp 2.

Thanks again for the report.


Masahiro Izuka May 10, 2019 06:01AM UTC
Thanks for your investigation.
I'm waiting for the fix.

Post Your public answer

Your name
Your email address
Answer