Burp Suite User Forum

Login to post

header injection using burp intruder is not working as expected

vytautas | Last updated: Nov 04, 2019 12:01AM UTC

Hi, I noticed one problem while trying to do automatic header injection using intruder. i created emty placemarker in positions tab because I want to incert new header from the list of headers I have That is not a problem, how ever the problem is that the ":" gets replaced with "%3a%" for what ever reason. The question is it normal to be that way or is it a bug? because it meens that i can't automate the process for injecting extra headers. instead geting the original value from the list of payloads: Accept: text/plain I am geting the folowing: Accept%3a%20text%2fplain I am wondering then how cum original headers are not effected if they are in saime format??? thanks for your answers and suggestions in advanced. i am running the free edition and it is a latest version as of post date.

Mike, PortSwigger Agent | Last updated: Nov 04, 2019 10:25AM UTC

Hi, In the Intruder > Payloads tab, at the bottom you should see a section labeled 'Payload Encoding'. This section allows you to define certain characters that will be URL-encoded when processed by Intruder. The ':' character that you have referenced is configured by default to be encoded. If you remove it from the list/disable this feature, you should no longer encounter this change happening during the attack phase.

Burp User | Last updated: Nov 04, 2019 02:12PM UTC

sorry for my silly incompetence i should put that in the how to section. when i have the money i will buy the pro because the app is outstanding also i find this software educational because i can learn about different elements of the web.

You need to Log in to post a reply. Or register here, for free.