Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Playload--change during scan

olek | Last updated: Jul 01, 2021 03:04PM UTC

Hi Team I would like ask about Scan/FUZZ using my own payload.I see when I load payload burp change it.For example. play load is /../../../../../../../../../../etc/shadow Why BURP change me it. GET /%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fshadow HTTP/2 Host: www.hyperwallet.com next: wp-includes/sodium_compat/composer.json Burp change for it. wp-includes%2fsodium_compat%2fcomposer.json The website see this bad payload.And do not understand it.??? I have me own payload at notepad payload.txt thanks

Michelle, PortSwigger Agent | Last updated: Jul 02, 2021 09:13AM UTC

Thanks for your message. If you are using the Intruder tool you can set the options for the URL encoding of payloads on the Payloads tab under 'Payload encoding' https://portswigger.net/burp/documentation/desktop/tools/intruder/payloads/processing#payload-encoding I hope this helps. Please let us know if you need any further assistance.

olek | Last updated: Jul 05, 2021 03:31PM UTC

Additionally I would ask why Burp encoding it.The effect.score is better with encoding payload or without encoding. thanks

Michelle, PortSwigger Agent | Last updated: Jul 06, 2021 10:45AM UTC

URL encoding converts reserved, unsafe, and non-ASCII characters to a format that is universally accepted and understood by all web browsers and servers. If for a particular use case you do not want this enabled it can be turned off or you can even alter the range of characters that are encoded. I hope this helps.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.