Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

[Burp Professional v2020.12 and 12.1] Force URL encoding even if disabled it on Intruder

KAISE | Last updated: Dec 24, 2020 12:21AM UTC

Hi, I am using Burp pro v2020. I will report a bug issue. I used Intruder by flowing Payloads settings; [Positions] Attack type: cluster bomb (2 payload positions) - All positions are in URL (eg. "POST /example/$p1val$/$p2val$ HTTP/1.0") [Payloads] Payload type: simple list Payload1 string: ss.dummy Payload2 string: etc/ss.dummy Payload Encoding: disable But Intruder attacked after forcing URL encoding to symbol characters ( ./\=<>?+&*;:"{}|^`) of Payload2. [Result] [Request] POST /example/ss.dummy/etc%2fss%2edummy HTTP/1.1 [Payloads] Payload Encoding: enable ( ./\=<>?+&*;:"{}|^`) <--- I don't know why but back to default settings. I hope that this bug is fixed quickly. Thanks.

Uthman, PortSwigger Agent | Last updated: Dec 24, 2020 10:43AM UTC

Hi Kaise, Thanks a lot for reporting this. I have replicated this issue and it looks like it was introduced in 2020.12. We will let you know when a fix has been implemented.

David | Last updated: Dec 29, 2020 05:05PM UTC

Please make sure to fix this for "Payload Processing" as well as "Payload Encoding" as both of these are broken in 2020.12 when using more than 1 payload set (e.g., they only apply to first payload set and UI shows setting for first payload set regardless which one of them is selected at the top).

Hannah, PortSwigger Agent | Last updated: Jan 04, 2021 10:36AM UTC

Thank you for the clarification. We've associated this with the ongoing issue.

Matrix | Last updated: Jan 21, 2021 09:17AM UTC

FYI - This issue still exists for Burp Pro v2020.12.1 version. Is there a workaround or any monkey patch to avoid this? It's irritating to install new updates and going back to older versions on encountering such bugs.

Michelle, PortSwigger Agent | Last updated: Jan 22, 2021 02:46PM UTC

This has been raised with our developers, we'll post back here as soon as we have an update.

Hannah, PortSwigger Agent | Last updated: Jan 25, 2021 12:17PM UTC

The cause of the issue has been identified, and there should be a fix for this in our next release.

Nicolas | Last updated: Jan 26, 2021 10:01AM UTC

> It's irritating to install new updates and going back to older versions on encountering such bugs I fully agree (currently downgrading to 2020.9.2)

Ben, PortSwigger Agent | Last updated: Feb 11, 2021 10:09AM UTC

Hi all, We just wanted to let you all know that the new Burp 2021.2 release should now have fixed the issue you were experiencing in Intruder.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.