-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flag to avoid URL encoding in GET based parameters #95
Comments
Thanks for the feedback. We'll pass this on and register your interest in this feature to help us decide what we should focus on with BChecks in the future. In the meantime would 'send request (raw)' help? |
Thanks for your response, no it would not help, because the use case is to inject payloads in injection points (parameters, for example) without encoding. As far as I can tell from the documentation, raw requires you to write the whole HTTP request from scratch. |
@ldionmarcil - Sorry that's not going to help. We've got this request logged so we can review it as we look at what features to add next. |
I have a case some character in my payloads get coded. regards |
Thanks for the update. We'll pass on that example use case too :) |
:+1 For this, payload automatically encoded cause it didn't work. |
We've added your vote for this, too. |
+1 for this too. hopefully Burp will update soon. |
Thanks for getting in touch. We've added your vote. I'm afraid we can't make any promises just yet. |
@ldionmarcil @ayadim @Michelle-PortSwigger My friend just found another way, use |
Thanks for sharing that :) |
@minhnb11 could you please elaborate more on how the bcheck looks like? |
Hi all, while writing a "given insertion point then" BCheck, I noticed that my appended payloads would automatically get URL encoded in GET parameters. Any plans on making this optional? For example, this would make finding some SSI injections and ESI injections impossible.
ie:
Expected behaviour, the vulnerable app would echo & the web server would evaluate the SSI tag.
request:
GET /?param=foo<!--#echo var=\"HTTP_USER_AGENT\" -->
response:
foo<!--#echo var="HTTP_USER_AGENT" -->
Observed behaviour, the vulnerable app receives an URL encoded payload, the server does not see the SSI tag because it is URL encoded, thus we get a false negative:
request:
GET /?param=foo%3c!--%23echo%20var%3d%22HTTP_USER_AGENT%22%20--%3e
response:
foo%3c!--%23echo%20var%3d%22HTTP_USER_AGENT%22%20--%3e
The text was updated successfully, but these errors were encountered: