Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Disabling URL Encoding in Spider

Vladamir Jul 12, 2019 01:17PM UTC

Hi,

Intruder has a feature that allows the user to specify whether or not special characters should be URL-encoded. Is there a similar feature for custom values submitted with the spider?


Liam Tai-Hogan Jul 16, 2019 09:12AM UTC Support Center agent

There is no similar feature in Burp Spider. It’s worth noting that we have replaced Burp Spider with Burp Crawler.

Could you let us know your exact use case for this feature?


Vladamir Jul 16, 2019 02:19PM UTC
I haven't upgraded to the newest version of Burp yet. I'll have to do that.

But the reason I ask is because sometimes when I'm doing manually testing I want the spider to submit a bunch of special characters into all parameters. Then I can look for strange behavior, errors, and so on.

When the request is a GET, the characters are double encoded; so if I tell Burp to submit this:

'";>/<.

The spider submits the following:

%2527%2522%253b%253e%252f%253c

This may cause the application to behave differently than if it submitted this:

'%22;%3E%2f%3C

Or at least that was my assumption. I'm not too experienced with webapp testing yet so maybe I'm just mistaken.

Liam Tai-Hogan Jul 17, 2019 02:53PM UTC Support Center agent

This doesn’t sound like something a crawler / spider is designed for. This sounds more like a scan check.

You could try using the Scan Check builder from the BApp store:

- https://portswigger.net/bappstore/618f0b2489564607825e93eeed8b9e0a

Please let us know if you need any further assistance.


Post Your public answer

Your name
Your email address
Answer