The positions tab provides several data encoding/decoding options. This allows us to encode/decode values in the positions tab. If you want to encode or decode any of the values in your request (or “anything” in the request) you can highlight and right click it, from the menu click on “convert selection”. I have selected our User ID value below to show how to encode a value:
I have encoded the User ID value using URL encoding:
We can convert our values into 4 different main types, each one is explained below: URL Encoding: URL Encoding (otherwise known as Percent Encoding) is used to encode data that will be contained within a URL. The characters that are allowed in URLs are defined as either Reserved or Unreserved in . The reserved characters are defined as characters which can sometimes have a special meaning in URLs, the RFC states that amongst other things the Reserved character are used as delimiters in URLs. HTML Encoding: In my opinion HTML Encoding is much simpler than URL Encoding. We will use HTML Encoding to represent characters which may have special meanings as a literal character. We use character entity references to replace these potentially dangerous characters with a symbolic name, the common character entity references are shown below (there are around 250 character entity references): “<” represents the < sign. “>” represents the > sign. “&” represents the & sign. “"” represents the “ mark. Base64: Base64 is a generic term for any number of similar encoding schemes that encodes binary data by treating it numerically and translating it into a base 64 representation. Constructed String: The constructed string option allows you to transform your values into a string that could be useful in code injection attacks. You can create Javascript, Microsoft SQL, Oracle and MySQL constructed strings. I’ve included a screen shot below which shows a right angle bracket (<) encoded with all of the different encoding types:
Selecting a payload So far we have enabled the Burp Suite proxy, captured a request, sent it to the intruder tool and marked our payload positions. We now need to tell the intruder tool what values to insert into the positions. To define our payloads we need to click on the payloads tab within the intruder tool:
We are going to use the sniper attack type in this example so we only have one payload set. The dropdown menu next to the payload set number allows you perform many different types of testing/data manipulation as you can see below (definitions taken from: ): Preset list: This is the simplest payload source, and configures a preset list of payload items Runtime file: This payload source configures an external text file from which payloads will be read at runtime. This is useful when a very large list of predefined payloads is needed, to avoid holding the entire list in memory. One payload is read from each line of the file, hence payloads may not contain newline characters. Custom iterator: This payload source provides a powerful way to generate custom permutations of characters or other items according to a given template. For example, a payroll application may identify individuals using a personnel number of the form AB/12; you may need to iterate through all possible personnel numbers to obtain the details of all individuals. Character substitution: This payload source takes a preset list of payload items, and produces several payloads from each item by replacing individual characters in the item with different characters, according to customisable rules. This payload source is useful in password guessing attacks, e.g. for producing common variations on dictionary words. |
 |
