Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

base64

Angelo | Last updated: Aug 02, 2018 02:36PM UTC

Hi, I want to use Intruder to fuzz param1 and param2 in a base64 encoded payload: Intercepted POST request body: data=cGFyYW0xPTEyMzsgcGFyYW0yPTQ1Ng== Decoding "data": param1=123; param2=456 I figured out how to decode it, but then I would need to define the payload positions (123 and 456) and then encode it back before sending to the application. How should I proceed? Do I need to implement a custom plugin or can I do that by using Burp built-in tools? Thanks!

PortSwigger Agent | Last updated: Aug 02, 2018 02:42PM UTC

Intruder does not directly support this scenario. Scanner does - it has good support for nested insertion points, and should handle this exact scenario transparently. As a workaround you could write a script to create a file with all the permutations you want: bc. param1=123; param2=456 param1=124; param2=456 etc. You could use that as a payload, and add a payload processor to base64 encode. This is something we may add to Intruder in the future, although that's a little way out.

PortSwigger Agent | Last updated: Aug 02, 2018 03:08PM UTC

Yes, Burp will normally detect SQLi in a base64 encoded parameter. The scanner needs to see a base64 encoded value in the base request - only then will it base64 encode payloads.

Burp User | Last updated: Oct 01, 2018 12:48PM UTC