Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Ghetto recursive payload in the Burp Intruder
Mon 05 February 2018 — download

A friend of mine faced an interesting challenge during a web security assessment: The application was using some kind of recursive processing for its parameters, resulting in requests looking like this:

GET /index.php?c=aWQ9MTMzNyZ1c2VyPW5hbWUmcGFzc3dvcmQ9aHVudGVyMgo= HTTP/1.1

Decoded in base64, the c parameters contains this: id=1337&user=name&password=hunter2. So now the question is: how to use Burp's intruder (I'm still looking for a decent workshop about ZAP by the way) in this case, since the classic processing encode->base64 would only encode the value of each parameters, and not the whole query.

The completely hackish solution is to combine the prepend and the encode processing:

  1. Set something like this in the Intruder: GET /index.php?c=§§ HTTP/1.1 ;
  2. In the Payloads tabs, use the payload processing->add prefix item to prepend a=1337&user=name&password= ;
  3. Finally, add encode->base64 filter on the parameter.

This will effectively make the intruder fuzz the request correctly, the downside being that you can only fuzz one parameter at a time, since there is no easy way to concatenate two base64 strings. A better way would be to either write a simple Burp extension, or a simple Python script. But hey, since there is no points for the style, and given that he was only interested in the password for the admin user, it was good enough™.