Burp Suite User Forum

Create new post

Attack payloads in unquoted JSON attributes

apoorv | Last updated: Aug 22, 2018 04:32PM UTC

I observed that burp scanner sends attack payloads in unquoted JSON attributes, which usually results in server side parsing errors. I repeated the attack request with quoted attribute and there were no parsing errors. Will it be a good idea to add quotes to unquoted attribute after inserting the payloads during active scan ? I am just spitballing, I may be wrong. Thank you !

PortSwigger Agent | Last updated: Aug 23, 2018 07:58AM UTC

Hi Apporv Thanks for letting us know about this. I had noticed this as well. While in theory some server may responding to invalid JSON, I expect this is quite rare, so simply removing those probes (except perhaps in thorough mode) would make some sense. There are a few other limitations with JSON support, for example we don't attempt to inject payloads in any keys. This is an area we will revisit in future, although that it likely to be some time away. Thanks again for reporting this behavior.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.