Burp Suite User Forum

Create new post

Question marks in URL insted of unicode charactes

Itay | Last updated: Aug 21, 2023 11:14AM UTC

Endpoints in unicode are viewed as question marks and are not decoded propertly, in some cases even breaking a proper workflow ( instead of requesting the intended endpoint burp forwards a request to /??????????? ). I've changed the HTTP message display to unicode supported font but it seems like a non UI problem.

Hannah, PortSwigger Agent | Last updated: Aug 22, 2023 08:54AM UTC

Hi. Does the request line contain non-ASCII characters that are then getting converted to "?"?

Itay | Last updated: Aug 23, 2023 10:27AM UTC

The URL contains hebrew characters: Original request: /תודה-על-הרשמה In burp suite: /?????????? Testing with packet sniffer I could confirm that the request after burp as a proxy is malformed.

Hannah, PortSwigger Agent | Last updated: Aug 23, 2023 04:04PM UTC

Hi Due to the RFC specification (https://www.rfc-editor.org/rfc/rfc9110#section-5.5), we expect that characters in the request line are ASCII and not multi-byte characters. We have an ongoing feature request to provide support for this functionality, to which I have added your +1. You may find that downgrading your HTTP protocol to HTTP/1.1 helps in this scenario, although there may be some loss of data as Burp truncates data when converting multi-byte characters between bytes and Strings. You can find an interesting vulnerability around this behavior here: https://www.mbsd.jp/research/20230216/multibyte-url/

Itay | Last updated: Aug 24, 2023 07:40AM UTC


You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.