Burp community forum

Treating existing values in a parameter while scanning

Karthik | Last updated: Jun 25, 2015 06:41AM UTC

Hello, I am adding a URL for scanning that has 10 body parameters for scanning Out of the 10 parameters, 4 parameters are already filled with some values. Other 6 parameters are left blank. When we are active scanning - how will burp work when new crafted requests are sent ? - Will the exiting values of the parameter be removed and replaced with the attack string ? or will the attack string just be appended ? Please confirm.

PortSwigger Agent | Last updated: Jun 25, 2015 08:00AM UTC

Some Scanner checks will replace the existing value; some will append to it; some will do both. The choices made within each Scanner check depend on the nature of the vulnerability that is being tested for and the nature of the existing value of the parameter (if any).

Burp User | Last updated: Jun 29, 2015 12:59PM UTC

Thanks for your response If for example I have a parameter NAME that is left blank initially. So when scanner checks happen there is not replacing happens But if the same parameter NAME is supplied with a value, then appending and replacing happens when the scanner checks are happening. So, with that said, are both the cases will find out the vulnerability or is there a dependency on the value carried by the parameter ? Could you please confirm ?

PortSwigger Agent | Last updated: Jun 29, 2015 01:18PM UTC

In the second case, when the parameter has a non-empty base value, some Scanner checks will replace the base value, some will append to it, and some will sometimes do both. The Scanner checks that may do both (e.g. the XSS check) are aware within their internal logic of everything they have done and ensure that each distinct vulnerability only gets reported once, even if it can be identified through both appending and replacing. Overall, Burp behaves in a way that is designed to maximize the discovery of vulnerabilities while avoiding duplicate / redundant effort. If you're curious about the behavior of a particular Scanner check, then try installing the Custom Logger extension, and see what happens when you scan a target with the features you are interested in.

Burp User | Last updated: Jun 30, 2015 10:56AM UTC

Hello Dafydd ... Thanks for the explanation.

You need to Log in to post a reply. Or register here, for free.