Burp Suite User Forum

Login to post

Burp 2020.9.1 crashes when sending certain characters in repeater

Adam | Last updated: Sep 10, 2020 10:49AM UTC

When POSTing a login request (does not seem to matter if the body is JSON or HTTP post form etc.) the entire application crashes if an dollar($) symbol is in a parameter name in the body of the request. Found when testing for NoSQL injection, the string 'password[$ne]=admin' or '"password[$ne]":"admin"' in the body seem to do it. doesn't matter if the string is URL encoded or not. Overall it seems if the $ is in the parameter name, and it has a value, this is enough to crash it

Uthman, PortSwigger Agent | Last updated: Sep 10, 2020 11:13AM UTC

Hi Adam, Thanks for reporting this. I have tried replicating this on http://demo.testfire.net but Burp is not crashing. Can you send further details (screenshots, screen recording, and steps to replicate) to support@portswigger.net, please?

You need to Log in to post a reply. Or register here, for free.