A friend of mine faced an interesting challenge during a web security assessment: The application was using some kind of recursive processing for its parameters, resulting in requests looking like this:
GET /index.php?c=aWQ9MTMzNyZ1c2VyPW5hbWUmcGFzc3dvcmQ9aHVudGVyMgo= HTTP/1.1
Decoded in base64, the
So now the question is: how to use Burp's intruder
(I'm still looking for a decent workshop about ZAP by the way)
in this case, since the classic processing
encode->base64 would only encode
the value of each parameters, and not the whole query.
The completely hackish solution is to combine the
prepend and the
- Set something like this in the Intruder:
GET /index.php?c=§§ HTTP/1.1;
- In the
Payloadstabs, use the
payload processing->add prefixitem to prepend
- Finally, add
encode->base64filter on the parameter.
This will effectively make the intruder fuzz the request correctly,
the downside being that you can only fuzz one parameter at a time, since there
is no easy way to concatenate two base64 strings. A better way would be to
either write a simple Burp extension, or a simple Python script.
But hey, since there is no points for the style, and given that he was only
interested in the password for the
admin user, it was good enough™.