Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Payload still encodes after unchecking "Url-encode these characters" checkbox

Max | Last updated: Jan 12, 2021 03:06PM UTC

Found on Burp Suite Community Edition v.2020.12.1 1. I'm trying to start intruder attack with following payload: type: recursive grep initial payload: 2021-01-12 16:27:24.056815 (timestamp with characters wich can be encoded) "Url-encode these characters" checkbox: unchecked Screenshot: https://monosnap.com/file/h7Sx2lLCQki2ceudVG1tbWmI3X7vQy 2. After starting an attack, i see that value in payload is still encoded Screenshot: https://monosnap.com/file/0lD0xmJVKdmlw0ZUJ6rrnAqDWDTiAb 3. In Payloads tab of the current attack i see that "Url-encode these characters" checkbox is still checked Screenshot: https://monosnap.com/file/ZOm6qnlX5vGLm9qJBJambnudvrEV96

Ben, PortSwigger Agent | Last updated: Jan 13, 2021 08:17AM UTC

Hi, Thank you for taking the time to highlight this. We have raised this issue as a bug report so that the development team can investigate and identify the root cause. We will update this thread if we have any further news to share about a fix for this issue.

Ben, PortSwigger Agent | Last updated: Feb 11, 2021 10:10AM UTC

Hi, We just wanted to let you know that the new Burp 2021.2 release should now have fixed the issue you were experiencing in Intruder.

Tev | Last updated: Jul 20, 2024 12:01AM UTC

Facing same issue, the intruder is not encoding anything except . (dot) Payloads: test@domain.com Once intruder attack begins, payload looks like this: test@domain%2ecom I have unchecked URL encoding under payloads tab already

Ben, PortSwigger Agent | Last updated: Jul 22, 2024 07:12AM UTC

Hi Tev, Are you able to send us an email at support@portswigger.net and include some screenshots of what you have configured within your attack and what you are seeing in the results table? Running a quick test on this in 2024.6.2, if I disable the URL-encoding option then I am not seeing any part of that payload being encoded (as I would expect) so it would be useful to see exactly what you are doing so that we can assist you further.

biruk | Last updated: Aug 08, 2024 05:06AM UTC

yes the same issue in the latest version burpsuite community

Dominyque, PortSwigger Agent | Last updated: Aug 08, 2024 07:05AM UTC