Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How can I modify the Content-Disposition: form-data header when intercepting a file upload submit?

Rick | Last updated: Apr 14, 2022 01:42AM UTC

Hello, I'm working with a Burp Pro crawl/audit and want to investigate a Cross-site scripting (stored) vulnerability. I have the Requests in the dashboard and I see that a payload of something like vbscript:msgbox(92148218) needs to be submitted in the filename multipart parameter attribute on a file upload page. But if I intercept the same page using Proxy for a file upload submit, I don't see any way to edit the Content-Disposition header like the example in the report: ------WebKitFormBoundaryeHRrO51AQu9J98yS Content-Disposition: form-data; name="upload"; filename="vbscript:msgbox(92148218)" Most parameters are obvious on how to edit them but not this. Thanks, Rick

Michelle, PortSwigger Agent | Last updated: Apr 14, 2022 08:41AM UTC

Thanks for your message. You might find some of the resources and labs on our Web Security Academy helpful, we have a whole section on file upload vulnerabilities and some labs where you can test out how to manipulate the requests. https://portswigger.net/web-security/file-upload If you're still having issues, can you send some screenshots of the sequence of requests you're intercepting to support@portswigger.net? If you just perform the file upload without intercepting the requests are you able to find the request you're interested in and send it to the repeater tab?

Rick | Last updated: Apr 14, 2022 04:07PM UTC

Here is a request that was in the report based on the crawl of my test site. This was done on a page that had a file upload. I can take this request and use repeater to replay it but I'd like to actually test this live in the Burp browser by using the Proxy Intercept. When I submit the file upload, Intercept has the breakpoint and I can modify things like parameters but see no where I can edit filename string in "Content-Disposition: form-data; name="upload"; filename". Here is the beginning of one of the requests using in the auditing: POST /ContosoFinancial/doUpload.action HTTP/1.1 Host: contosofinancial-186521-sxnfo9rsehtkrfrz.southcentralus.cloudapp.azure.com Content-Length: 2046751 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://contosofinancial-186521-sxnfo9rsehtkrfrz.southcentralus.cloudapp.azure.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeHRrO51AQu9J98yS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://contosofinancial-186521-sxnfo9rsehtkrfrz.southcentralus.cloudapp.azure.com/ContosoFinancial/loan.action?name=arnold Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID=EEB889B155A48E49A039CC0DE22A80EB Connection: close ------WebKitFormBoundaryeHRrO51AQu9J98yS Content-Disposition: form-data; name="upload"; filename="vbscript:msgbox(92148218)" Content-Type: image/jpeg Thanks, Rick

Ben, PortSwigger Agent | Last updated: Apr 14, 2022 05:55PM UTC

Hi Rick, Can you perform a file upload on your site whilst proxying the traffic but with the 'Intercept is off' configuration set under Proxy -> Intercept (so that the traffic still passes through Burp but without the requirement for you to perform any manual actions on said traffic in order for it to reach the destination web server)? If you then view the Proxy -> HTTP history tab, is the file upload POST request present within the requests here (the HTTP history tab should show all of the requests that have passed through the proxy)? I just want to check that, in the first instance, the request that you are looking for is actually being issued. Performing a file upload whilst proxying the traffic through Burp should allow us to see the complete sequence of requests from your actions in order to determine this.

Rick | Last updated: Apr 14, 2022 08:30PM UTC

Yes that does show the upload, through Proxy/HTTP History: I can't paste a screenshot in here but following your directions, in the HTTP history I see a lineitem for: URL: MySite/doUpload.action and then under that in the Request pane in the lower left I see: ---------------------------------------------------------------- POST /ContosoFinancial/doUpload.action HTTP/1.1 Host: contosofinancial-186521-36omrgiropjdg3v6.eastus.cloudapp.azure.com Content-Length: 38437 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://contosofinancial-186521-36omrgiropjdg3v6.eastus.cloudapp.azure.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0nF9U0bdC6h3B0vn User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://contosofinancial-186521-36omrgiropjdg3v6.eastus.cloudapp.azure.com/ContosoFinancial/loan.action?alertMsg=&name=arnold Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID=9D22262A650F2964717A59EE5A8D904D Connection: close ------WebKitFormBoundary0nF9U0bdC6h3B0vn Content-Disposition: form-data; name="upload"; filename="Kernelcon 2022 notes.docx" Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document ---------------------------------------------------------------- So since that works I'm back to question about how I would manually intercept and be able to modify Content-Disposition: form-data; name="upload"; filename="xx" in order to perform a SQL injection attempt against the filename="" value. Thanks, and support services here is great! Rick

Hannah, PortSwigger Agent | Last updated: Apr 18, 2022 10:39AM UTC