Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[burp.api.montoya.utilities.json] Request method to get JSON parameter location with one click #104

Open
cloud-jie opened this issue Nov 12, 2024 · 3 comments
Open

[burp.api.montoya.utilities.json] Request method to get JSON parameter location with one click #104

cloud-jie opened this issue Nov 12, 2024 · 3 comments

Comments

@cloud-jie
Copy link

cloud-jie commented Nov 12, 2024
edited
Loading

All methods of burp.api.montoya.utilities.json accept JSON strings and positions. However, for such an important position, there is no method that can get the position of all parameters in one click.

image

In addition, will burp.api.montoya.utilities.CryptoUtils provide encryption methods such as aes, rsa, sm2, sm4, des, etc. in the future?
@Michelle-PortSwigger
Copy link

Hi

If you don't know the structure of the JSON and need to walk it/interrogate it you might find the JsonNode interface useful as a starting point:
https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/utilities/json/JsonNode.html
I hope this helps.

For your second question, we don't have any current plans to provide encryption methods as part of burp.api.montoya.utilities.CryptoUtils, if we did in the future we would just be wrapping existing Java APIs, so in the emantime you may want to check out the JCEs (Java cryptography extensions).

@cloud-jie cloud-jie reopened this Dec 18, 2024
@cloud-jie
Copy link
Author

I noticed that the HttpRequest class has the method parameters() to get all the request parameters (including json), but there is no way to know the location of the json parameters (https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/utilities/json/JsonUtils.html Location syntax of document ).

Meanwhile, I quoted the following problem, it's not possible to update JSON parameters, which means if we want to modify the json parameters, we need to write more code or bring in a third-party library (e.g., fastjson), and while it's convenient to use a third-party library, it's obviously better to be able to use the methods provided by the montoya api.
#103 (comment)

It would be nice to also return the path information of the json parameter in the parameters() method

@Hannah-PortSwigger
Copy link
Contributor

Hi @cloud-jie

You can update a JSON value that you don't know the location of in the following way:

JsonUtils utils = utilities().jsonUtils();
String json = "{\"foo\":\"bar\"}";

JsonObjectNode obj = JsonNode.jsonNode(json).asObject();
obj.putString("foo", "baz");

String newJson = obj.toJsonString();

Hope this helps!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Hannah-PortSwigger @cloud-jie @Michelle-PortSwigger