Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Send to Intruder inserts character markers at incorrect positions when executed from the GraphQL message editor tab

0xceba | Last updated: Sep 10, 2024 07:07PM UTC

Bug overview: Intruder markers are added to the wrong character positions when the "Send to Intruder" action is executed while selecting text in the new GraphQL message editor tab. The Intruder markers appear to be inserted at character positions relative to the beginning of the HTTP request, instead of relative to the beginning of the GraphQL request in the request body. Environment details: This bug was reproduced on Debian 13.2.0 with Burp Suite Professional v2024.7.5. Steps to reproduce: 1. Create a Repeater request with a valid GraphQL request, such as the following: POST /graphql HTTP/2 Host: 0xceba.com Content-Type: application/json Content-Length: 49 {"query": "query ceba { __typename } "} 2. Navigate to the GraphQL message editor tab. 3. Select a part of the GraphQL request, such as the field "__typename". 4. While the text is selected, open the action context menu by right clicking on the request or by using the file menu -> execute the Send to Intruder action. 5. Navigate to the Intruder tab. Note where the Intruder markers have been inserted. Expected behavior: The Intruder markers should be inserted at character positions that match the selected text of the Repeater request. Actual behavior: The Intruder markers are inserted at incorrect character positions.

Michelle, PortSwigger Agent | Last updated: Sep 11, 2024 02:19PM UTC