Burp Suite User Forum

Login to post

Fuzzing parameter names

Abde | Last updated: Feb 06, 2023 03:31PM UTC

Hello, is there a way to instruct Burp in order to include the input/parameter names in the scope of scans ? The idea is to automate this process : https://portswigger.net/blog/attacking-parameter-names And to detect hidden SQL injection for example. Thanks in advance for your advice.

Ben, PortSwigger Agent | Last updated: Feb 08, 2023 11:34AM UTC

Hi Abde, Just to clarify, what are you trying to control - the payload, where the payload is being used or something else?

Abde | Last updated: Mar 07, 2023 10:26AM UTC

Hello Ben, I want to control where the payloads will be used during the automated scans. For example, let's suppose we have a URL similar to this : https://www.example.com/?q=value The idea will be to test injection in the "q" param name and also in the "value".

Ben, PortSwigger Agent | Last updated: Mar 08, 2023 07:52AM UTC

Hi, You have the option to configure which locations you would like payloads to be placed into within requests within the 'Insertion Point Types' section of the audit configuration, as illustrated below: https://snipboard.io/8grDth.jpg By default these are all enabled.

You need to Log in to post a reply. Or register here, for free.