Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Intruder options:

Eric | Last updated: Nov 20, 2016 12:11AM UTC

Under Intruder, there is a section named "Payload Encoding", it allows to URL encode certain characters. Why is burp doing so, in other words, why are we bothering to URL encode the payloads before they reach the web application? Which advantages that might help us with?

PortSwigger Agent | Last updated: Nov 21, 2016 08:52AM UTC

You need to URL-encode certain characters for safe placement into the URL, and other locations like the message body in URL-encoded bodies. For example, if you put a literal space, ampersand or equals character into the URL, you risk breaking the request, or causing it to be handled differently.

Burp User | Last updated: Nov 21, 2016 04:27PM UTC

In other words, it would be for the safe transmission of those certain characters from the browser and burp to the web application. So this is not related to encoding to bypass a WAF or other web application security in place? Are there other encoding besides URL encoding in burp to help bypass a WAF for example?

PortSwigger Agent | Last updated: Nov 21, 2016 04:48PM UTC

Correct, simple URL-encoding is normally about safe transmission of data, rather than filter bypasses.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.