Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Handling multipart requests with Montoya API

Alla | Last updated: Sep 05, 2023 10:43AM UTC

Is there an example of how to handle multipart parameters in Montoya API? I can fetch the parameters from the request using HttpRequest().parameters(). If some of the parameters are files with a filename, somewhere in there will be "filename" parameter with type "MULTIPART_ATTRIBUTE". How do I know which parameter this attribute applies to? Another question, how do I fetch Content-Type for a multipart parameter?

Hannah, PortSwigger Agent | Last updated: Sep 05, 2023 04:17PM UTC

Hi We don't have any examples for multipart parameters. Could you provide some more information on the functionality you are trying to perform?

Alla | Last updated: Sep 08, 2023 09:06AM UTC

I am trying to make an extension that generates JSON representation of requests. A simple POST request that looks like this: POST /something HTTP/1.1 Host: whatever Content-type: application/x-www-form-urlencoded name=value will be converted to {"method":"POST", "path":"/something", "data":{"name":"value"}} This JSON representation then can be used in scripts to replay the request with various modifications. I am using it with a python wrapper to send the request with different headers or different SSL client certificates, or to implement muti-step scenarios. Now I want to achieve a similar conversion for multipart/form-data requests. Let's say I have a request: POST /upload HTTP/1.1 Host: 10.0.0.10:8443 Content-Length: 269 Content-Type: multipart/form-data; boundary=6f5e15161fd7ef2c2170a13c8c93af6c --6f5e15161fd7ef2c2170a13c8c93af6c Content-Disposition: form-data; name="file"; filename="test.txt" Content-Type: text/plain texttext --6f5e15161fd7ef2c2170a13c8c93af6c Content-Disposition: form-data; name="param" value --6f5e15161fd7ef2c2170a13c8c93af6c-- There are three items in burp.api.montoya.http.message.HttpRequestResponse.request().parameters() for this request Name: filename, value: test.txt, type: MULTIPART_ATTRIBUTE Name: file, value: texttext, type: BODY Name: param, value: value, type: BODY The content-type header of the file parameter is not available anywhere, and there is no way to tell which parameter MULTIPART_ATTRIBUTE is related to, except by the order of the parameters (and I am not sure this is the right way). So I guess what I want is some more structured way of handling multipart parameters, so I can extract the data necessary to build something like this for the above request: {"method":"POST", "path":"/upload", "files":[{"name":"file", "value":"texttext", "filename":"test.txt", "Content-type":"text/plain"}, {"name":"param", "value":"value"}]}

Hannah, PortSwigger Agent | Last updated: Sep 08, 2023 04:07PM UTC

Hi It sounds like our current functionality is not quite enough for your use case. It would likely be a better idea for you to retrieve the raw byte or String value of the response and process it with your own methods. That way, you can be certain that the order of parameters is correct, and you can utilize the Content-Type of the contents within the boundary.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.