Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Injecting special characters like " /,*,' " into an http request

NazarMedeiros | Last updated: Nov 16, 2016 08:56AM UTC

Hi Mr. Stuttard, I have an http request which contains following parameters: {"head":{"requestCounter":1},"operations":[["set","w2",{"mode":"maximized","bounds":[0,0,1280,802],"activeControl":"w11"}],["set","w11",{"selection":[2,2],"text":"<IFRAME SRC="javascript:alert('XSS19');"></IFRAME>"}],["set","w2",{"activeControl":"w13"}],["notify","w13","Selection",{"button":1,"shiftKey":false,"ctrlKey":false,"altKey":false}],["set","w1",{"cursorLocation":[295,484],"focusControl":"w13"}]]} When you look at the part with: "text: "<IFRAME SRC=..." you can see that I am trying to inject an xss code. The problem is that this injection causes an internal server error. Adding some "\" characters directly before the " characters help me to send a succesful request. Example below: "text":"<IFRAME SRC=\"javascript:alert('XSS19');\"></IFRAME>"} What I would like to know is, how I could send a request using the first version (original request)? Is there a way the "-character can remain? Best regards, Nazar

PortSwigger Agent | Last updated: Nov 16, 2016 09:44AM UTC

You are putting your payload into a JSON value, which is a string contained within double quotes. If you use a plain double quote in your payload, then you break the JSON format, so the app rejects your data. Using the backslash escape safely puts a quote character inside the string, so doesn't break the JSON.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.