Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

missing HttpParameterType PATH

soein | Last updated: Dec 22, 2023 03:35PM UTC

Hello, Why is there no PATH HttpParameterType in the montoya API? Is is meant to be included in the URL HttpParameterType?

Michelle, PortSwigger Agent | Last updated: Dec 22, 2023 04:01PM UTC

Hi To help us understand your query better, can you tell us in a bit more detail what you are trying to achieve in your extension? Could you provide some examples to help explain what you would like your extension to do?

soein | Last updated: Dec 22, 2023 05:00PM UTC

hi, I am trying to extend the OpenAPI Parser. I want to test an API that has parameters in the path but montoya API only allows for BODY, COOKIE or URL parameters. The goal is, that the PATH parameters will show up in the "Parameters" tab in the OpenAPI Parser extension so that i can edit the values. Eventually i would like to send it to the scanner that will then also test the PATH parameters.

Michelle, PortSwigger Agent | Last updated: Dec 27, 2023 11:32AM UTC

Hi Sorry, I am not sure I have fully understood what you are trying to achieve. The OpenAPI parser extension already has a column to display the path. Do you want to expand on this functionality so changes can be made to the path and different requests can be sent rather than just displaying the path? Can you provide some examples to help demonstrate what you would like your extension to do?

soein | Last updated: Jan 01, 2024 12:24PM UTC

Hi, Yes exactly. I want the PATH to be variable just like BODY, COOKIE and URL. E.g. if the path is /api/{version}/Version, I would like version to be a variable that I can edit in the "Edited Value" column. I saw that PATH is not a parameter according to the HTTP specification, but it is according to OpenAPI. So I am looking for a way to recognise the PATH as a parameter so that I could send the request to the scanner which then would test the PATH parameter the same way it would test a BODY or URL parameter (inject code, different paths etc.). --> /api/v1/Version, /api/../../../Version

Michelle, PortSwigger Agent | Last updated: Jan 02, 2024 11:52AM UTC

Have you discussed this update yet with the BApp Author via GitHub?

soein | Last updated: Jan 02, 2024 09:47PM UTC

Hey Michelle, No I have not. There is an open issue regarding that problem (opened in July), but no answer so far. Since there is no PATH parameter in the HTTP specs, is there another parameter (not necessarily from the HTTP specs) that i could assign the PATH parameter from the openapi specs to? The goal is, that the scanner will recognise it as a variable so that it will inject code to that parameter. In other words, is there a variable in the montoya api that i could use to assign the parameter to.

Michelle, PortSwigger Agent | Last updated: Jan 08, 2024 03:16PM UTC

I would advise letting the BApp Author know that you are also interested in the feature and why it would be useful for you, to help them prioritize the features they work on. This is an actively maintained extension, so you may well get a response. BApps are maintained by the individual authors rather than the team here at PortSwigger. While there may not be a specific parameter type within the Montoya API they may be able to address this in other ways within their code. i hope this helps.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.