Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Auto-marking parameters in URL paths in intruder

TC | Last updated: Mar 13, 2017 10:44PM UTC

The swurg extension allows parsing swagger json files into items in burp that can be then sent to intruder, repeater, or scanner. However, swagger json files allow for parameters inside URL paths. There seems to be no way to construct a URL path that can be auto-marked in the intruder tab. Manually placing § in the swagger json file before it is parsed will appear as a different unicode character in the intruder tab url (box symbols). Is there any way to extend or change this behaviour?

PortSwigger Agent | Last updated: Mar 14, 2017 10:02AM UTC

You could modify the source code for this extension easily enough to compute the desired locations for your payload markers, and use these when items are sent to Intruder or Scanner, via the API.

Burp User | Last updated: Mar 14, 2017 04:32PM UTC

The extension already captures parameters in path and surrounds them with curly braces. Sending an item from the extension to intruder will show paths such as site.com/{param}/{param2} However, when I change the curly braces to section signs (§), intruder tab will load them as Â. So it shows as site.com/ÂparamÂ/Âparam2Â I can see that the HttpRequest body is stored in a byte array, and I'm assuming that when it is loaded into the intruder tab, it is decoded differently than how it was encoded?

PortSwigger Agent | Last updated: Mar 14, 2017 04:35PM UTC

If you use a byte with value 0xA7 in your byte array that is sent to Intruder, this should show up as a payload position marker. But the more elegant way to do it is to use the overloaded APIs that take a list of offsets to use as payload positions / insertion points: https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html#sendToIntruder(java.lang.String,%20int,%20boolean,%20byte[],%20java.util.List) https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html#doActiveScan(java.lang.String,%20int,%20boolean,%20byte[],%20java.util.List)

Burp User | Last updated: Mar 14, 2017 11:15PM UTC

Thank you, modifying the function in the extension as you mentioned worked well.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.