Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Confusing Burp's display with fake encoding
Fri 20 April 2018 — download

Burp Proxy is the go-to tool for web security testing (ZAP is still completely unusable for anything else than "auto-scan, eat all my ram and crash", but I would be happy to be proved wrong.), so it's always interesting to find some bugs in it: some are stockpiled for CTF, the others are going into websec.fr, like this one, that is still unfixed.

Burp is giving priority to the html tag content-type over the one sent by the web server, while everyone does it the other way. This means that when you're serving UTF-8 content with the <meta http-equiv="content-type" content="text/html;charset=UTF-16"> tag in the webpage, Burp will try to decode its content as UTF-16, yielding a lot of weird (usually Chinese, but I don't have the required fonts to display them correctly) characters:

burp with utf-16

This can be fixed by forcing Burp to use UTF-8 in User options -> Display -> Character Sets -> Use a specific character set.

This is the correct expected result:

burp with utf-8