Burp Suite User Forum

Login to post

Request filter

Sayed | Last updated: Aug 19, 2023 11:24PM UTC

I have a problem with the request body that only accepts numbers and numbers greater than zero. Is there a way to bypass the filter?

Hannah, PortSwigger Agent | Last updated: Aug 21, 2023 10:05AM UTC

Hi Could you provide some more information on your scenario, please?

Sayed | Last updated: Sep 09, 2023 04:32PM UTC

I was sending the request { "bookingMode": "Online", "cityId": null, "iswaitlistSlot": false, "numberOfApplications": 0, "previousSequenceNumber": null, "processType": null, "slotQuotaids": [ 131122558 ], "tokenId": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoibnVsbCBTYXQgU2VwIDA5IDIxOjUwOjM5IElTVCAyMDIzIiwib3JpZ2luIjoiaHR0cHM6Ly92Yy50YXNoZWVyLmNvbSJ9.tRMyC4TUs fUIZW9vu1FQMyx8DnR3-Qxu--4LwJyuAO0" } The server responded "statusCode":"100","statusMessage":"Success","encrypString":null,"slotAvailable":"174575" Now it replies with "statusCode":"BEC_1001","statusMessage":"Please contact System Administrator_DB","encrypString":null The problem is that the server now does not accept "numberOfApplications": With a value of less than one Is there a way to bypass the server's rejection of numbers less than one?

Hannah, PortSwigger Agent | Last updated: Sep 11, 2023 08:31AM UTC

Hi You can use the Repeater tool to edit requests and issue them to view the response. This would allow you to make minor tweaks to the request to try and exploit the site. Unfortunately, we are not able to help with interpreting your web application's behavior. However, you could check out the Web Security Academy for content on learning how to exploit different vulnerabilities.

You need to Log in to post a reply. Or register here, for free.