Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Pasting a text buffer with equal signs in a Repeater's body parameter's value creates unexpected parameters

Ilguiz | Last updated: Mar 31, 2020 03:07AM UTC

Adding a multiline buffer <a href=”javascript:alert(0)”>ClickMe</a> to a body parameter split the value by the equal sign and created two more parameters. In addition, I would not expect the edit mode to suddenly turn the existing value into its percent encoding. This looks insane considering how much pentesters pay attention to encoding and its context. Obviously, the percent encoding applies only in transit (plus in updating the content-length header).

Ilguiz | Last updated: Mar 31, 2020 03:08AM UTC

Err scratch "multiline".

Ilguiz | Last updated: Mar 31, 2020 03:12AM UTC

Err scratch "equal signs". It turns that adding double quotes to the value break it into extra parameters. Ouch! If the unexpected percent encoding in the edit mode is ever going to be fixed, it would be nice to warn about pasting unexpected Unicode quotes copied from those pesky Word/PDF pentest reports.

Liam, PortSwigger Agent | Last updated: Mar 31, 2020 03:09PM UTC

Thanks for your message Ilguiz. I'll discuss this with the product team and get back to you.

Liam, PortSwigger Agent | Last updated: Apr 02, 2020 07:16AM UTC