Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

GetParameters (IRequestInfo) bug

Daniel | Last updated: Apr 16, 2015 11:20PM UTC

Hi, I am using the "getParameters()" method of IRequestInfo and I have found a bug. When a request is parsed by this method it returns all the parameters that it found in "get parameters", "post parameters" and cookies. If the following request is parsed by this method: GET /url.php?param1=value1 Host: x.x.x.x Cookie: cookie1=value2 GetParameters() returns: {u'param1': u'value1', u'cookie1': u'value2'} But if the request is the following: GET /url.php?param1=value1 Host: x.x.x.x Cookie: param1=value2 GetParameters() returns: {u'param1': u'value2'} The GetParameters() method does not detect that there are a GET parameter with the same name that a cookie (it is possible) and if I want reuse this request, it will be malformed. Regards,

PortSwigger Agent | Last updated: Apr 20, 2015 10:35AM UTC

We're not able to reproduce this problem. I wrote a quick extension with the following code: String request = "GET /url.php?param1=value1\r\n" + "Host: x.x.x.x\r\n" + "Cookie: param1=value2\r\n\r\n"; IRequestInfo requestInfo = callbacks.getHelpers().analyzeRequest(null, request.getBytes()); for (IParameter parameter : requestInfo.getParameters()) { System.out.println(parameter.getType() + " " + parameter.getName() + " " + parameter.getValue()); } Burp correctly output two parmeters with the same name, but different types and values: 0 param1 value1 2 param1 value2 If you're still seeing a problem, please can you provide code that reproduces some unexpected behavior? Thanks.

Mike, PortSwigger Agent | Last updated: Sep 28, 2015 07:55AM UTC

Dean, it sounds like you are reproducing Dafydd's behavior as opposed to Daniels, as you can see both parameter names with different types which is correct, whereas Daniel only gets one parameter returned.

Burp User | Last updated: Oct 22, 2019 03:26AM UTC

I can reproduce the behaviour described by Daniel in his post. Functionally I'm doing the same thing as in your Java example, but am implementing it in Python. When I iterate over the value returned by getParameters() it includes all params and cookies. They can be distinguished by their type though (e.g. query params are type 0, post body type 1, and cookies type 2).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.