Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Illegal Unicode Payload seems to be not working

Ricardo Iramar dos Santos Mar 10, 2017 09:06PM UTC

I have burp professional and I'm trying to use Illegal Unicode payload on Intruder but it seems that is not working.
As an example I tried the request below selecting xpto from URL as a payload position and Snipper as an attack type.
From Payloads tab I've selected Illegal Unicode and under Items I've selected a-z list and click on Start attack.
Payload count is showing me 52 aprox. but from the Intruder attack window I can see just one single request and the status Finished.
Could you please check? If this is not a bug could you please provide me a end-to-end example?

GET§xpto§ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Upgrade-Insecure-Requests: 1

Dafydd Stuttard Mar 11, 2017 01:52PM UTC Support Center agent

To use the Illegal Unicode payload type, you need to put a particular character into your payloads (such as *) and configure the payload generator to replace occurrences of * will illegal representations of X (a character that you configure). So, for example, if you are attacking file path handling, you could configure some payloads containing the / character, and configure the generator to replace / with illegal representations of /.

Post Your public answer

Your name
Your email address