Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

header injection using burp intruder is not working as expected

vytautas ziedelis Nov 04, 2019 12:01AM UTC

Hi, I noticed one problem while trying to do automatic header injection using intruder.
i created emty placemarker in positions tab because I want to incert new header from the list of headers I have That is not a problem, how ever the problem is that the ":" gets replaced with "%3a%" for what ever reason.
The question is it normal to be that way or is it a bug? because it meens that i can't automate the process for injecting extra headers.

instead geting the original value from the list of payloads: Accept: text/plain
I am geting the folowing: Accept%3a%20text%2fplain
I am wondering then how cum original headers are not effected if they are in saime format???
thanks for your answers and suggestions in advanced.

i am running the free edition and it is a latest version as of post date.


Mike Eaton Nov 04, 2019 10:30AM UTC Support Center agent

Hi, In the Intruder > Payloads tab, at the bottom you should see a section labeled ‘Payload Encoding’. This section allows you to define certain characters that will be URL-encoded when processed by Intruder.

The ‘:’ character that you have referenced is configured by default to be encoded. If you remove it from the list/disable this feature, you should no longer encounter this change happening during the attack phase.


vytautas ziedelis Nov 04, 2019 02:12PM UTC
sorry for my silly incompetence i should put that in the how to section. when i have the money i will buy the pro because the app is outstanding also i find this software educational because i can learn about different elements of the web.

Post Your public answer

Your name
Your email address
Answer