Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Automatically change the json content-type to xml and perform the scan.

Niraj | Last updated: Apr 30, 2021 07:30AM UTC

Does burp already perform a scan on a request with json content type and json request body: - By changing the content-type to application/xml - And changing the json body type to xml - Finally running all the scan on the resultant output Please let me know if burp already does this, if not how can we do this automatically ?

Uthman, PortSwigger Agent | Last updated: Apr 30, 2021 08:22AM UTC

Hi Niraj, This does not sound like a native scanner check. Does it correspond to a specific web security vulnerability? If so, can you provide some documentation or further information? The JSON issues we detect can be found here: - https://portswigger.net/web-security/dom-based/client-side-json-injection (Client-side JSON injection (DOM-based), Client-side JSON injection (reflected DOM-based), and Client-side JSON injection (stored DOM-based)) For XML issues, we can detect: - XML entity expansion - https://portswigger.net/kb/issues/00400700_xml-entity-expansion - XML external entity (XXE) injection - https://portswigger.net/web-security/xxe - XML injection - https://portswigger.net/kb/issues/00100700_xml-injection You may be able to automate this by writing some custom scan checks using the 'Burp Bounty, Scan Check Builder' extension (https://portswigger.net/bappstore/618f0b2489564607825e93eeed8b9e0a).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.