Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

JSON and form-urlencoded encoded payloads in Burp Intruder

Rob | Last updated: Apr 09, 2015 01:09PM UTC

The application I'm running a security assessment on encodes POST requests as a URL encoded parameter containing JSON. e.g. bar={"options"%3a{"key"%3a"26b678c6-1d75-41c0-8a20-d9882828c76c","description"%3a"Foo"...<snip>&key=26b678c6-1d75-41c0-8a20-d9882828c76c Is there a way to automatically encode payloads using Burp for use in Intruder? The only way that comes to mind is to run payloads through JavaScript hex encoding first, then load the encoded list into Burp and then URL-encode from there. Is there anything built in that would do this? The closest I found was "Javascript constructed string", however this is not suitable for use in JSON. So to summarise I need the payload to be JSON hex entity encoded then URL encoded (Burp easily does the latter, so the JSON encoding is the bit I need).

PortSwigger Agent | Last updated: Apr 15, 2015 09:09AM UTC

The Scanner automatically supports nested JSON insertion points within parameter values, but the Intruder tool does not. We plan to provide some additional options for placement of payload positions in Intruder.

PortSwigger Agent | Last updated: Feb 18, 2016 05:24PM UTC

We don't have any progress to report currently, but we are planning to carry out some work on Intruder in the coming months, and this might make the cut.

Burp User | Last updated: Aug 15, 2016 06:29PM UTC

This request needs a bump because it is desperately needed. More and more apps are using JSON APIs these days. Please add JSON encoding/decoding to all applicable payload processing locations (Intruder, encode/decode, etc.).

Burp User | Last updated: Dec 20, 2016 04:41PM UTC

Has this ever been resolved? I've seen similar cases where a base64 parameter contains XML data. It'd be a great addition to handle nested insertion points via intruder.

Burp User | Last updated: Jul 28, 2017 03:45PM UTC