Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Playload--change during scan

olek | Last updated: Jul 01, 2021 03:04PM UTC

Hi Team I would like ask about Scan/FUZZ using my own payload.I see when I load payload burp change it.For example. play load is /../../../../../../../../../../etc/shadow Why BURP change me it. GET /%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fshadow HTTP/2 Host: www.hyperwallet.com next: wp-includes/sodium_compat/composer.json Burp change for it. wp-includes%2fsodium_compat%2fcomposer.json The website see this bad payload.And do not understand it.??? I have me own payload at notepad payload.txt thanks

Michelle, PortSwigger Agent | Last updated: Jul 02, 2021 09:13AM UTC

Thanks for your message. If you are using the Intruder tool you can set the options for the URL encoding of payloads on the Payloads tab under 'Payload encoding' https://portswigger.net/burp/documentation/desktop/tools/intruder/payloads/processing#payload-encoding I hope this helps. Please let us know if you need any further assistance.

olek | Last updated: Jul 05, 2021 03:31PM UTC

Additionally I would ask why Burp encoding it.The effect.score is better with encoding payload or without encoding. thanks

Michelle, PortSwigger Agent | Last updated: Jul 06, 2021 10:45AM UTC