A friend of mine faced an interesting challenge during a web security assessment: The application was using some kind of recursive processing for its parameters, resulting in requests looking like this:
GET /index.php?c=aWQ9MTMzNyZ1c2VyPW5hbWUmcGFzc3dvcmQ9aHVudGVyMgo= HTTP/1.1
Decoded in base64, the c parameters
contains this: id=1337&user=name&password=hunter2.
So now the question is: how to use Burp's intruder
(I'm still looking for a decent workshop about ZAP by the way)
in this case, since the classic processing encode->base64 would only encode
the value of each parameters, and not the whole query.
The completely hackish solution is to combine the prepend and the encode processing:
- Set something like this in the Intruder:
GET /index.php?c=§§ HTTP/1.1; - In the
Payloadstabs, use thepayload processing->add prefixitem to prependa=1337&user=name&password=; - Finally, add
encode->base64filter on the parameter.
This will effectively make the intruder fuzz the request correctly,
the downside being that you can only fuzz one parameter at a time, since there
is no easy way to concatenate two base64 strings. A better way would be to
either write a simple Burp extension, or a simple Python script.
But hey, since there is no points for the style, and given that he was only
interested in the password for the admin user, it was good enough™.