Auto-marking parameters in URL paths in intruder
The swurg extension allows parsing swagger json files into items in burp that can be then sent to intruder, repeater, or scanner.
However, swagger json files allow for parameters inside URL paths. There seems to be no way to construct a URL path that can be auto-marked in the intruder tab.
Manually placing § in the swagger json file before it is parsed will appear as a different unicode character in the intruder tab url (box symbols).
Is there any way to extend or change this behaviour?
You could modify the source code for this extension easily enough to compute the desired locations for your payload markers, and use these when items are sent to Intruder or Scanner, via the API.
However, when I change the curly braces to section signs (§), intruder tab will load them as Â. So it shows as site.com/ÂparamÂ/Âparam2Â
I can see that the HttpRequest body is stored in a byte array, and I'm assuming that when it is loaded into the intruder tab, it is decoded differently than how it was encoded?
If you use a byte with value 0xA7 in your byte array that is sent to Intruder, this should show up as a payload position marker.
But the more elegant way to do it is to use the overloaded APIs that take a list of offsets to use as payload positions / insertion points: