Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

BChecks - How to append something to each query parameter?

Ivo | Last updated: Nov 24, 2023 10:54AM UTC

Hi, I want to create a BCheck that appends something to each query parameter and checks if the response differs from the base response: metadata: language: v2-beta name: "Basic SQLi Checker" run for each: payload = "'", "\"" given request then if ({base.response.status_code} is "200") then send request called check: # TODO for each query parameter append {payload} if not({check.response.status_code} is {base.response.status_code}) then report issue and continue: severity: info confidence: tentative detail: `Potential SQL Injection detected at {check.request.url}. Confirm manually.` end if end if Can this even be done with a BCheck? Kind regards, Ivo

Hannah, PortSwigger Agent | Last updated: Nov 27, 2023 10:47AM UTC

Hi

It sounds like you would need to use a "given query insertion point then" check.

You could then do something like:
metadata:
    language: v2-beta
    name: "Basic SQLi Checker"

run for each:
    payloadSet =
        "'",
        "\""

given query insertion point then
    send payload called check:
        appending: {payloadSet}

    if {check} differs from {base} then
        report issue:
            severity: info
            confidence: tentative
            remediation: ""
            detail: ""
    end if

Ivo | Last updated: Nov 27, 2023 01:03PM UTC

Exactly what I was looking for! Thank you :)

Ivo | Last updated: Nov 28, 2023 10:20AM UTC

Another question: I created the following BCheck that shows an error "Unexpected error occured while running BCheck Basic SQLi Checker: Ztng - Attempting to reference an undefined variable: check2" ``` metadata: language: v2-beta name: "Basic SQLi Checker" given query insertion point then if {base.response.status_code} is "200" then send payload called check1: appending: "'" send payload called check2: appending: "''" if {check1} differs from {base} and {check2} is {base} then report issue: severity: high confidence: certain detail: "" end if end if ``` Not sure what I am doing wrong here.

Hannah, PortSwigger Agent | Last updated: Nov 28, 2023 04:56PM UTC

Hi Could you tell me the version of Burp that you are using? On v2023.10.3.6, this works as expected for me and sends both payloads.

Ivo | Last updated: Nov 29, 2023 02:27PM UTC

I am running v2023.10.3.6 on Kali Linux. The payloads are being sent, that's not the issue. I just noticed that inside the BChecks editor Event Log tab the mentioned error message appears.

Hannah, PortSwigger Agent | Last updated: Nov 30, 2023 12:53PM UTC

Is this message displaying when you click the "Validate" button? To clarify, even with this message appearing, can you still run the tests against your chosen requests and receive output?

On a slight tangent, to prevent unnecessary requests from being sent, we recommend making the following changes to your BCheck:

metadata:
    language: v2-beta
    name: "Basic SQLi Checker"

given query insertion point then
    if {base.response.status_code} is "200" then
        send payload called check1:
            appending: "'"

        if {check1} differs from {base} then
            send payload called check2:
                appending: "''"

            if {check2} is {base} then
                report issue:
                    severity: high
                    confidence: certain
                    detail: ""
            end if
        end if
    end if
By moving "check2" into the if block, you will only send the additional payload if the first criteria has been met.

Ivo | Last updated: Dec 01, 2023 10:07AM UTC

Thank you for recommending to move the second payload into a separate if block. Definitely makes sense to only send it when the first request leads to a different response. No, the error message appears when I run the BCheck and yes, the requests are still being sent and the findings created.

Hannah, PortSwigger Agent | Last updated: Dec 01, 2023 02:10PM UTC

Thanks for that information. Could you drop us an email at support@portswigger.net with some screenshots of this occurring? It would also be useful if you could attach a copy of your diagnostics information (Help > Diagnostics). We'll try to see if we can replicate the error message that you are encountering.

Ventsislav | Last updated: Feb 28, 2024 09:09AM UTC

Hi Hannah, Can you answer something for BCheck, how can I check for vulnerabilities in the body of the POST request for example: username=blblbl or password=blabla? I know that I can use Intruder, but the question is how can I build BCheck who check exactly this for me? BR

Hannah, PortSwigger Agent | Last updated: Feb 28, 2024 12:42PM UTC