Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Handling multipart requests with Montoya API

Alla | Last updated: Sep 05, 2023 10:43AM UTC

Is there an example of how to handle multipart parameters in Montoya API? I can fetch the parameters from the request using HttpRequest().parameters(). If some of the parameters are files with a filename, somewhere in there will be "filename" parameter with type "MULTIPART_ATTRIBUTE". How do I know which parameter this attribute applies to? Another question, how do I fetch Content-Type for a multipart parameter?

Hannah, PortSwigger Agent | Last updated: Sep 05, 2023 04:17PM UTC

Hi We don't have any examples for multipart parameters. Could you provide some more information on the functionality you are trying to perform?

Alla | Last updated: Sep 08, 2023 09:06AM UTC

I am trying to make an extension that generates JSON representation of requests. A simple POST request that looks like this: POST /something HTTP/1.1 Host: whatever Content-type: application/x-www-form-urlencoded name=value will be converted to {"method":"POST", "path":"/something", "data":{"name":"value"}} This JSON representation then can be used in scripts to replay the request with various modifications. I am using it with a python wrapper to send the request with different headers or different SSL client certificates, or to implement muti-step scenarios. Now I want to achieve a similar conversion for multipart/form-data requests. Let's say I have a request: POST /upload HTTP/1.1 Host: 10.0.0.10:8443 Content-Length: 269 Content-Type: multipart/form-data; boundary=6f5e15161fd7ef2c2170a13c8c93af6c --6f5e15161fd7ef2c2170a13c8c93af6c Content-Disposition: form-data; name="file"; filename="test.txt" Content-Type: text/plain texttext --6f5e15161fd7ef2c2170a13c8c93af6c Content-Disposition: form-data; name="param" value --6f5e15161fd7ef2c2170a13c8c93af6c-- There are three items in burp.api.montoya.http.message.HttpRequestResponse.request().parameters() for this request Name: filename, value: test.txt, type: MULTIPART_ATTRIBUTE Name: file, value: texttext, type: BODY Name: param, value: value, type: BODY The content-type header of the file parameter is not available anywhere, and there is no way to tell which parameter MULTIPART_ATTRIBUTE is related to, except by the order of the parameters (and I am not sure this is the right way). So I guess what I want is some more structured way of handling multipart parameters, so I can extract the data necessary to build something like this for the above request: {"method":"POST", "path":"/upload", "files":[{"name":"file", "value":"texttext", "filename":"test.txt", "Content-type":"text/plain"}, {"name":"param", "value":"value"}]}

Hannah, PortSwigger Agent | Last updated: Sep 08, 2023 04:07PM UTC