Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

collaborator issues

Vytautas | Last updated: Feb 15, 2016 11:25AM UTC

Hi, I have observed a glitch in collaborator's functionality. While (selectively) testing the persisten-xss module i have noticed the following payload being used: '"><svg%2fonload%3d(new(Image)).src%3d'%2f%2f8aj0dogjoqjmx9n62xhgpsgs4jafy7ovfl2bq0\56b.example.com'> Here the \56 part is odd. it should be a dot. However, it's this weird expression. It seems that the dot symbol (56 in decimal from ascii table), is not properly encoded/decoded. I did not investigate other modules but i guess it's likely that other modules are affected. The bug was verified in v1.6.36. Please let me know (via email) once you have acknowledged/verified the issue.

PortSwigger Agent | Last updated: Feb 15, 2016 02:03PM UTC

Burp is working as intended. The \56 is JavaScript encoding for a dot, using Octal notation (not decimal). If the payload is embedded into an HTML document, and the value of the onload attribute is processed as JavaScript, the JS interpreter will treat the \56 as a dot, and so the embedded URL will get processed as we require. The reason Burp deliberately obfuscates the URL in this way is to reduce the likelihood that other components that process the payload data will see the domain name and perform a DNS lookup of it. Some WAF-like products do this when they see a domain name embedded in a parameter value. Using context-specific obfsucation in this way helps to reduce false positives.

Burp User | Last updated: Feb 16, 2016 06:58AM UTC