Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

URL Decode not working on pitchfork attack when payload is set on a HTTP header

daniel | Last updated: Dec 12, 2020 09:01PM UTC

Version: Buro 2020.12 When I define a payload on a HTTP Header and in my payload has two points as part of the payload (Ex: DMEWNf..DIEJDEJE) automaticly burp is encoding the two points to %2e%2e. I already try the payload processing rules, i try to unckeck the options Payload Encoding and didn't work. If I choose Sniper attack, it works perfectly the two points are not encoded. But if I choose PitchFork attack, the decode doesn't work.

Uthman, PortSwigger Agent | Last updated: Dec 14, 2020 11:22AM UTC

Can you provide more detail on how you have configured the attack? Ideally, with steps to replicate? I have created a new header in a request with " DMEWNf..DIEJDEJE" as the value and payload positions around it (§DMEWNf..DIEJDEJE§). The pitchfork attack requires two payload positions, however. Where would the other one be defined in your example?

David | Last updated: Dec 29, 2020 05:05PM UTC

This is probably same bug for 2020.12 as reported in https://forum.portswigger.net/thread/burp-professional-v2020-12-and-12-1-force-url-encoding-even-if-disabled-it-on-intruder-3314afff

Ben, PortSwigger Agent | Last updated: Jan 05, 2021 12:55PM UTC

Hi both, Thank you for this - we will add the details to the existing bug report that we have raised for the issue that you initially reported, David.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.