Hi!
I'm new to extending Burp and I wanted to add an active scanner plugin for some injections.
When I making the requests with a payload with special characters, for example alert(1), the request encoded my payload with "URL encode".
My code is as follows:
for(String payload: payloads){
IHttpRequestResponse test = this.callbacks.makeHttpRequest(httpService,insertionPoint.buildRequest(helpers.stringToBytes(payload)));
}
when I make "insertionPoint.buildRequest(helpers.stringToBytes(payload))" my payload is encoded in" URL encode", I think is because according to the documentation:
https://portswigger.net/burp/extender/api/burp/IScannerInsertionPoint.html#buildRequest(byte[])
"Note: Scan checks should submit raw non-encoded payloads to insertion points, and the insertion point has responsibility for performing any data encoding that is necessary given the nature and location of the insertion point."
How could I send the request without encoding anything?
For example, if I send alert(1), the request should be:
GET / ...
....
param=alert(1)
and not:
GET / ...
....
param=%3cscript%3ealert(1)%3c%2fscript%3e
Thanks a lot!
↧