Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

base64

Angelo | Last updated: Aug 02, 2018 02:36PM UTC

Hi, I want to use Intruder to fuzz param1 and param2 in a base64 encoded payload: Intercepted POST request body: data=cGFyYW0xPTEyMzsgcGFyYW0yPTQ1Ng== Decoding "data": param1=123; param2=456 I figured out how to decode it, but then I would need to define the payload positions (123 and 456) and then encode it back before sending to the application. How should I proceed? Do I need to implement a custom plugin or can I do that by using Burp built-in tools? Thanks!

PortSwigger Agent | Last updated: Aug 02, 2018 02:42PM UTC

Intruder does not directly support this scenario. Scanner does - it has good support for nested insertion points, and should handle this exact scenario transparently. As a workaround you could write a script to create a file with all the permutations you want: bc. param1=123; param2=456 param1=124; param2=456 etc. You could use that as a payload, and add a payload processor to base64 encode. This is something we may add to Intruder in the future, although that's a little way out.

PortSwigger Agent | Last updated: Aug 02, 2018 03:08PM UTC

Yes, Burp will normally detect SQLi in a base64 encoded parameter. The scanner needs to see a base64 encoded value in the base request - only then will it base64 encode payloads.

Burp User | Last updated: Oct 01, 2018 12:48PM UTC

Hi, When you mention "and should handle this exact scenario transparently." it means that Burp performs its injections tests by automatically encoding the payloads to base64 before sending them? Will Burp detect an SQLi in an base64 encoded parameter? Thanks.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.