Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Multi-Payload encoding rules and Encoding options for Scanner

Armando Dec 03, 2019 09:37AM UTC

Hi,

It would be nice if you could add support for encoding rules in intruder or scanner. This need comes from many websites where base64 encoded JSONs are used to transfer information between the client and the backend. For example, lets say that a website sends this while searching for something:

eyJmaWx0ZXJzIjp7Im1hdGNoIjpbImFhYSJdfSwic2VsZWN0ZWRTb3J0IjoiUkVMRVZBTkNFIiwidHlwZSI6IkluZGV4IiwibmFtZSI6IkluZGV4In0=

This will be decoded to the following JSON (with payloads already delimited):

{"filters":{"match":["§aaa§"]},"selectedSort":"§RELEVANCE§","type":"§Index§","name":"§Index§"}

Wouldn't be possible to add another symbol to the intruder so it could wrap the whole JSON and apply a encoding to that selection?

This would also be very helpful if the scanner could take advantage of this information.

Best regards


Michelle Gillian Dec 04, 2019 01:57PM UTC Support Center agent

Hi

Thanks for the feedback.

We’ve passed this idea on to our product team so they can review it and assess demand. If you have any additional information which you feel would help them better understand the requirements, please let us know.


learner213 Dec 19, 2019 12:34PM UTC
Hackvertor could solve this problem
https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100

Gerrit Padgham Dec 30, 2019 10:28PM UTC
I would love to see something like this too. The Burp Scanner already has a finding for "Base64 encoded parameter value" - it would be wonderful to have an option to tell burp to "decode it, and actively scan those values" (where burp would re-encode and send the data to server. I've ended up having to write extensions do this, but they are far from perfect, and I usually end up having to tweak them a lot. Would be nice if this functionality were just built in.

Hannah Law Jan 02, 2020 09:20AM UTC Support Center agent

Hi. Thank you for the feedback.

I’ve updated the feature request with this additional information.


Post Your public answer

Your name
Your email address
Answer