Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

burteforce API endpoint that use encoding

Viral | Last updated: Jul 04, 2024 06:52AM UTC

Hello, i have request format like this POST /api/login HTTP/1.1 Host: www.domain.com Device_type: A X-Authorization: Authorization: Content-Type: multipart/form-data; boundary=d62e5784-ca6b-49ed-8cd9-34343c8dde Content-Length: 262 Accept-Encoding: gzip, deflate, br User-Agent: okhttp/5.0.0-alpha.12 Connection: keep-alive --d62e5784-ca6b-49ed-8cd9-17740d3c5555 Content-Disposition: form-data; name="req" {"method_name":"log_in","data":{"username":"§Testusername§","password":"§Testpass§"},"api_referrer":"mobile"} --d62e5784-ca6b-49ed-8cd9-17740d3c5555-- i want to bruteforce this endpoint but before that i want to encode it in base64 so how do i do it using intruder, in payload there is a payload processing but its for encode my adeded data here username password. and if i add whole string as payload i can perform bruteforce on username password as it bruteforce other area expect username passs like this. §{"method_name":"login","data":{"username":"§yuiukuui§","password":"§yuiyuii§"},"api_referrer":"mobile"}§ so is there any way i can i can do it?

Hannah, PortSwigger Agent | Last updated: Jul 04, 2024 01:47PM UTC

Hi

Just to clarify, would you like the entire string to be base64 encoded after you've inserted your payloads for username and password?

Using the BApp Store extension, "Hackvertor", you can add encoding tags to outgoing Intruder requests. Visually, the Intruder attack results window won't display the encoded data. However, if you check your "Logger" output, you can see that the outgoing request has been encoded.

Here's an example of a request I used with the Hackvertor extension installed:
GET / HTTP/2
Host: portswigger-labs.net
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Connection: close
Cache-Control: max-age=0

<@base64>test§§foo<@/base64>

Viral | Last updated: Jul 05, 2024 01:09PM UTC

Thanks a lot, thats work for me.

Hannah, PortSwigger Agent | Last updated: Jul 05, 2024 03:45PM UTC

Hi Glad to hear that helped!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.