Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Illegal Unicode Payload seems to be not working

Ricardo | Last updated: Mar 10, 2017 09:06PM UTC

I have burp professional and I'm trying to use Illegal Unicode payload on Intruder but it seems that is not working. As an example I tried the request below selecting xpto from URL as a payload position and Snipper as an attack type. From Payloads tab I've selected Illegal Unicode and under Items I've selected a-z list and click on Start attack. Payload count is showing me 52 aprox. but from the Intruder attack window I can see just one single request and the status Finished. Could you please check? If this is not a bug could you please provide me a end-to-end example? Thanks! GET http://ricardo-iramar.com/§xpto§ HTTP/1.1 Host: ricardo-iramar.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Upgrade-Insecure-Requests: 1

PortSwigger Agent | Last updated: Mar 11, 2017 01:50PM UTC

To use the Illegal Unicode payload type, you need to put a particular character into your payloads (such as *) and configure the payload generator to replace occurrences of * will illegal representations of X (a character that you configure). So, for example, if you are attacking file path handling, you could configure some payloads containing the / character, and configure the generator to replace / with illegal representations of /.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.