Research Academy Daily Swig
My account Customers About Blog Careers Legal Contact

Burp Suite User Forum

Login to post

Decoder - URL and HTML encode special characters only

Robert | Last updated: Sep 30, 2020 03:08PM UTC

Can you please add the ability to Decoder to encode the special URL and HTML characters only? The need to do this comes up quite often during application testing. For example, when looking at the first lab of the burp academy ssrf guide https://portswigger.net/web-security/ssrf where the payload is "stockApi=http://stock.weliketoshop.net:8080/product/stock/check%3FproductId%3D6%26storeId%3D1". When attempting to introduce own payload and attempt to URL encode "http://localhost/admin/delete?username=carlos" in Decoder the result would be "%68%74%74%70%3A%2F%2F%6C%6F%63%61%6C%68%6F%73%74%2F%61%64%6D%69%6E%2F%64%65%6C%65%74%65%3F%75%73%65%72%6E%61%6D%65%3D%63%61%72%6C%6F%73" instead of desired "http%3A%2F%2Flocalhost%2Fadmin%2Fdelete%3Fusername%3Dcarlos" The same applies to HTML encoding.

Uthman, PortSwigger Agent | Last updated: Oct 01, 2020 11:06AM UTC

Hi Robert, Thanks a lot for your request. At the moment, the decoder will encode/decode in entirety (i.e. all characters) without the ability to understand that only key characters should be encoded/decoded in a URL. We are working on a new feature that may deprecate this. In the meantime, I would suggest pasting this into a new Repeater tab > right-click > Convert selection > URL-encode key characters. Alternatively, you can right-click > URL-encode as you type > manually type in the URL in a Repeater tab.

You need to Log in to post a reply. Or register here, for free.