Burp community forum

Ignores JSON parameters after {}

Masahiro | Last updated: Apr 23, 2019 06:13AM UTC

Dear, I found that the string {} in JSON of a request body, meaning an empty object, makes following parameters not recognized as the ones. The version is Burp Suite Professional v1.7.37. For example, I have a POST request with the following body in Intruder: { param_a: "val_a", param_b: { param_b_1: 10, param_b_2: true }, param_c: {}, param_d: 80, param_e: [1, 2, 3, 4] } Pushing "Auto §" button, I see the values of parameters d and e are not marked as payload positions although the others are successful. On the other hand, if the chars {} are not continuous such as "{ }" with a space, the all parameters are recognized as expected. Scanner seems to behave as same, as I found in the session tracer. This may let us skip scanning target parameters unconsciously. I wish this is fixed. Regards

Liam, PortSwigger Agent | Last updated: Apr 23, 2019 09:50AM UTC

Thanks for this report. We'll investigate this issue and get back to you when we've made some progress.

Rose, PortSwigger Agent | Last updated: Apr 29, 2019 07:22AM UTC

This issue should be fixed in the next release of Burp 2. Thanks again for the report.

Burp User | Last updated: May 10, 2019 06:01AM UTC

Thanks for your investigation. I'm waiting for the fix.

You need to Log in to post a reply. Or register here, for free.