Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

missing HttpParameterType PATH

soein | Last updated: Dec 22, 2023 03:35PM UTC

Hello, Why is there no PATH HttpParameterType in the montoya API? Is is meant to be included in the URL HttpParameterType?

Michelle, PortSwigger Agent | Last updated: Dec 22, 2023 04:01PM UTC

Hi To help us understand your query better, can you tell us in a bit more detail what you are trying to achieve in your extension? Could you provide some examples to help explain what you would like your extension to do?

soein | Last updated: Dec 22, 2023 05:00PM UTC

hi, I am trying to extend the OpenAPI Parser. I want to test an API that has parameters in the path but montoya API only allows for BODY, COOKIE or URL parameters. The goal is, that the PATH parameters will show up in the "Parameters" tab in the OpenAPI Parser extension so that i can edit the values. Eventually i would like to send it to the scanner that will then also test the PATH parameters.

Michelle, PortSwigger Agent | Last updated: Dec 27, 2023 11:32AM UTC

Hi Sorry, I am not sure I have fully understood what you are trying to achieve. The OpenAPI parser extension already has a column to display the path. Do you want to expand on this functionality so changes can be made to the path and different requests can be sent rather than just displaying the path? Can you provide some examples to help demonstrate what you would like your extension to do?

soein | Last updated: Jan 01, 2024 12:24PM UTC

Hi, Yes exactly. I want the PATH to be variable just like BODY, COOKIE and URL. E.g. if the path is /api/{version}/Version, I would like version to be a variable that I can edit in the "Edited Value" column. I saw that PATH is not a parameter according to the HTTP specification, but it is according to OpenAPI. So I am looking for a way to recognise the PATH as a parameter so that I could send the request to the scanner which then would test the PATH parameter the same way it would test a BODY or URL parameter (inject code, different paths etc.). --> /api/v1/Version, /api/../../../Version

Michelle, PortSwigger Agent | Last updated: Jan 02, 2024 11:52AM UTC

Have you discussed this update yet with the BApp Author via GitHub?

soein | Last updated: Jan 02, 2024 09:47PM UTC

Hey Michelle, No I have not. There is an open issue regarding that problem (opened in July), but no answer so far. Since there is no PATH parameter in the HTTP specs, is there another parameter (not necessarily from the HTTP specs) that i could assign the PATH parameter from the openapi specs to? The goal is, that the scanner will recognise it as a variable so that it will inject code to that parameter. In other words, is there a variable in the montoya api that i could use to assign the parameter to.

Michelle, PortSwigger Agent | Last updated: Jan 08, 2024 03:16PM UTC