Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How can I parse a filename include double quote at upload request ?

BadBug | Last updated: Aug 26, 2020 02:20PM UTC

There's a filename parameters at uplaod request: --------boundary Content-Disposition: form-data; name="img_file"; filename="PROBLEM" Content-Type: application/octet-stream file_content --------boundary-- How can I input the filename that includes `"`(double quote) ? I have search for the RFC document: https://tools.ietf.org/html/rfc6266 I wanna use this: filename*=utf-8''%e2%82%ac%20rates BUUUUT!!! When I add * after filename, the value will turn blue to dark (means burp didn't accept this as value) and didn't work. How can I solve this ?

Liam, PortSwigger Agent | Last updated: Aug 27, 2020 07:00AM UTC

Could it be possible to provide a screenshot demonstrating your issue?

BadBug | Last updated: Aug 27, 2020 08:54AM UTC

Sure!! Normal way without quote : https://imgur.com/y1QiIG2 Using RFC format (filename=utf-8''sttring) to send the quote string: https://imgur.com/yiSoJtz The burp doesn't accept this format.

BadBug | Last updated: Aug 27, 2020 08:57AM UTC

Does this format (filename=utf-8''strings) condition to whether server recognize or not ? If server can't recognize it, no matter how hard you try u just can't parse the " char ?

BadBug | Last updated: Aug 27, 2020 09:00AM UTC

Sorry the format above I typed it wrong, it's filename*=utf-8''strings

Liam, PortSwigger Agent | Last updated: Aug 27, 2020 03:32PM UTC

To clarify, are you concerned with the color? If so, this shouldn't be an issue, Burp will send the message as it is in the editor. Is there an issue with what you are getting back in the response?

BadBug | Last updated: Aug 28, 2020 01:48AM UTC

Yes there are. The server seems stop getting value when it shows double quote no matter what format I tried. filename*=utf-8''strings doesn't work neither. I have tried following format, none of them worked: 1. filename*=utf-8''strings (RFC format, doesn't work) 2. filename="double"quote" (response get the strings `double` and ignore the `quote`) 3. filename="double%22quote" (server get the value %22 not ") 4. filename='double"quote' (server didn't get the value) 5. filename="U+0022 quote" (get U+0022 quote) 6. filename="\u0022 quote" (get \u0022 quote) 7. filename="/" (error, so it can be injected, server take it as a path that linux forbid it to set as filename, confirm it on server, btw server will add things before the filename you can control, so we can't just inject it by /bla/bla/bla, we need double quote ) 8. filename="\"hello" (server get only the value `\` ) 9. filename=" \\ \" testit" (server get the value ` \\ \`) 10. filename=" double " quote" (server get ` double `)

Liam, PortSwigger Agent | Last updated: Sep 02, 2020 07:53AM UTC