Burp Suite User Forum

Create new post

collaborator issues

Vytautas | Last updated: Feb 15, 2016 11:25AM UTC

Hi, I have observed a glitch in collaborator's functionality. While (selectively) testing the persisten-xss module i have noticed the following payload being used: '"><svg%2fonload%3d(new(Image)).src%3d'%2f%2f8aj0dogjoqjmx9n62xhgpsgs4jafy7ovfl2bq0\56b.example.com'> Here the \56 part is odd. it should be a dot. However, it's this weird expression. It seems that the dot symbol (56 in decimal from ascii table), is not properly encoded/decoded. I did not investigate other modules but i guess it's likely that other modules are affected. The bug was verified in v1.6.36. Please let me know (via email) once you have acknowledged/verified the issue.

PortSwigger Agent | Last updated: Feb 15, 2016 02:03PM UTC

Burp is working as intended. The \56 is JavaScript encoding for a dot, using Octal notation (not decimal). If the payload is embedded into an HTML document, and the value of the onload attribute is processed as JavaScript, the JS interpreter will treat the \56 as a dot, and so the embedded URL will get processed as we require. The reason Burp deliberately obfuscates the URL in this way is to reduce the likelihood that other components that process the payload data will see the domain name and perform a DNS lookup of it. Some WAF-like products do this when they see a domain name embedded in a parameter value. Using context-specific obfsucation in this way helps to reduce false positives.

Burp User | Last updated: Feb 16, 2016 06:58AM UTC

Thank you for your answer.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.