Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Scanning a REST-style URL

Madruga | Last updated: Aug 21, 2016 12:33PM UTC

Hi I've occasionally played with the pro version of Burp over the years and three years ago I found a SQL injection in one of our IIS/asp.net web apps. I seem to remember that I just had the Scanner running while opening a specific page and the Scanner found the SQL injection by itself in the "country" parameter in this URL: /mywebapp/api/customer/country If I scan the same request now, Burp doesn't report any problem. If I send the request to the Intruder and add a payload marker for the country parameter and then select "Actively scan defined insertion points", the Scanner will report the SQL Injection in this request: /mywebapp/api/customer/country' (Unclosed quotation mark after the character string ') When doing the initial scan, Burp never tries to add the quotation mark on the country parameter in the URL, but instead tries to for example add a new parameter like this: /mywebapp/api/customer/country?1'=1 Since I'm quite sure the version of Burp I was running three years ago found the SQL injection without me doing anything manually, I wonder if something has changed? Should Burp be expected to find this problem? Is there a way to force Burp to do more with a request like this? I have checked the "REST-style URL parameters" checkbox under Attack Insertion Points. Tested now with pro v1.6.18/v1.7.04 and the behavior is the same. Can't remember which version I tested on three years ago. Thanks.

PortSwigger Agent | Last updated: Aug 23, 2016 09:19AM UTC

Burp has two insertion point types relevant to direct insertion of payloads within the URL, which you can configure at Scanner / Options / Attack insertion points: - URL path filename - URL path folders These replace the old option called "REST-style URL parameters". If you have the URL path filename insertion point enabled, then Burp should place payloads at the country part of your URL, since it is the last slash-delimited token in the filename.

Burp User | Last updated: Sep 12, 2016 08:45PM UTC

Hi I can't get it to scan the last parameter even if I check the URL path filename/folders (unless I go via the Intruder). I also want it to scan "customer" in the above URL ( /mywebapp/api/customer/country), but same thing, I can't get Burp to automatically scan it. I'd be happy to send a URL to a public test env. to Burp Support if someone wants to have a look.

PortSwigger Agent | Last updated: Sep 14, 2016 01:16PM UTC

Please can you: 1. Enable the "URL path filename" and "URL path folders" insertion points 2. Use the Custom Logger extension in the BApp Store to view the requests that happen when Burp is scanning If you still believe that Burp isn't putting any attacks into the URL file path, please do email support@portswigger.net with a URL where we can replicate the problem, thanks.

Burp User | Last updated: Sep 14, 2016 08:46PM UTC

Mail with more info sent to support@portswigger.net Thanks.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.