Research Academy Daily Swig
My account Customers Account and subscription management About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Burp 2022.12.6 on Windows manipulates binary POST body data depending on the Content-Type request header

GarlicCheese | Last updated: Jan 25, 2023 07:16AM UTC

I've encountered this issue with two separate applications, but finally found a way to reproduce it. Burp v2022.12.6 on Windows 10 64bit, changes binary POST data, when sending manipulated requests. For example non-printable characters such as 0x96, 0x86, 0x90, 0x92, 0x9a, 0x89, 0x8b, 0x9e, 0x99, 0x93, 0x88, 0x87 or 0x8f all become 0x3f (?). I noticed this behavior for zip, xls and xlsx files, but I believe this has to do with the "Content-Type" request header. To reproduce this, I create a zip file from a lore-ipsum filled .txt file. Intercept the following curl command on windows with burp: ```curl -i -s -k -X "POST" -H "Host: example.com" -H "User-Agent: insomnia/2022.7.5" -H "Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" -H "Authorization: Bearer bingo" -H "Accept: */*" -H "Content-Length: 30168" -b "JSESSIONID=null" --data-binary "asdf" "https://example.com/burp/bug?test=true" --proxy 127.0.0.1:8080 -k``` Delete the 'asdf' from the POST body in the intercepted request and "Paste from file" the zip. Burp will add the file, briefly display non-printable characters with the empty square representation, but then replace most of these with question marks. If the file is pasted between 'as' and 'df' from the curl command, this doesn't seem to happen. If curl directly sends the zip file, this does not happen either. If the Content-Type is changed to something arbitrary, this does not happen either: ```-H "Content-Type: foo/bar"``` (same curl command as above, but a changed request header) The same behavior can be observed in the repeater. I can provide test files, screenshots and further details if required.

Hannah, PortSwigger Agent | Last updated: Jan 25, 2023 10:02AM UTC

Hi Could you drop us an email at support@portswigger.net with your test files? Could you also include a quick screen recording so that we can ensure we're using the same replication steps as you?

GarlicCheese | Last updated: Jan 25, 2023 11:16AM UTC

Will do. Thanks for the feedback.

You need to Log in to post a reply. Or register here, for free.