Title: Ghetto recursive payload in the Burp Intruder
Date: 2018-02-05 11:00

A friend of mine faced an interesting challenge during a web security assessment:
The application was using some kind of recursive processing for its parameters,
resulting in requests looking like this:

```
GET /index.php?c=aWQ9MTMzNyZ1c2VyPW5hbWUmcGFzc3dvcmQ9aHVudGVyMgo= HTTP/1.1
```

Decoded in [base64](https://en.wikipedia.org/wiki/Base64), the `c` parameters
contains this: `id=1337&user=name&password=hunter2`.
So now the question is: how to use [Burp's intruder](https://portswigger.net/burp/help/intruder_using.html)
(I'm still looking for a decent workshop about [ZAP](https://www.zaproxy.org/) by the way)
in this case, since the classic processing `encode->base64` would only encode
the value of **each** parameters, and not the **whole query**.

The completely hackish solution is to combine the `prepend` and the `encode` processing:

1. Set something like this in the Intruder: `GET /index.php?c=§§ HTTP/1.1` ;
2. In the `Payloads` tabs, use the `payload processing->add prefix` item
   to prepend `a=1337&user=name&password=` ;
3. Finally, add `encode->base64` filter on the parameter.

This will effectively make the intruder fuzz the request correctly,
the downside being that you can only fuzz one parameter at a time, since there
is no easy way to concatenate two base64 strings. A better way would be to
either write a simple Burp extension, or a simple Python script.
But hey, since there is no points for the style, and given that he was only
interested in the password for the `admin` user, it was good enough™.