Burp community forum

Disabling URL Encoding in Spider

Vladamir | Last updated: Jul 12, 2019 01:17PM UTC

Hi, Intruder has a feature that allows the user to specify whether or not special characters should be URL-encoded. Is there a similar feature for custom values submitted with the spider?

Liam, PortSwigger Agent | Last updated: Jul 15, 2019 02:31PM UTC

There is no similar feature in Burp Spider. It's worth noting that we have replaced Burp Spider with Burp Crawler. Could you let us know your exact use case for this feature?

Burp User | Last updated: Jul 16, 2019 02:19PM UTC

I haven't upgraded to the newest version of Burp yet. I'll have to do that. But the reason I ask is because sometimes when I'm doing manually testing I want the spider to submit a bunch of special characters into all parameters. Then I can look for strange behavior, errors, and so on. When the request is a GET, the characters are double encoded; so if I tell Burp to submit this: '";>/<. The spider submits the following: %2527%2522%253b%253e%252f%253c This may cause the application to behave differently than if it submitted this: '%22;%3E%2f%3C Or at least that was my assumption. I'm not too experienced with webapp testing yet so maybe I'm just mistaken.

Liam, PortSwigger Agent | Last updated: Jul 16, 2019 03:00PM UTC

This doesn't sound like something a crawler / spider is designed for. This sounds more like a scan check. You could try using the Scan Check builder from the BApp store: - https://portswigger.net/bappstore/618f0b2489564607825e93eeed8b9e0a Please let us know if you need any further assistance.

You need to Log in to post a reply. Or register here, for free.