During a recent web app engagement, I wanted to run some of the Burp Scanner automated checks, but I was confronted with several issues. First, this particular application did not respond kindly to manipulation of the session cookies. The application and its single sign on solution issued a number of session cookies. Manipulation of any of the session cookies resulted in expiration of all session cookies. Although it’s configurable, Burp’s scanner runs tests against cookies by default.
The application also contained what I will call nested parameters. These nested parameters were in the form
&NestedParameter=0|0|0|0|0|5#1|0|0|0|0|17... This appeared to be sets of parameters nested inside one parameter, where
0| was the parameter name and
0|0|0|0|5 were values for that parameter. The # was used to separate each set of nested parameters.
Example of Nested Parameters
I wanted to be able to run an automated scan against all of the different nested parameters, but some requests contained upwards of 30 parameter sets. I also needed to avoid testing the session cookies so I didn’t get logged out. If you’ve watched Tim Tomes‘ excellent talk from DerbyCon VII, you know that Burp’s Intruder is a great way to do targeted scanning of parameters. Just send the request to Intruder, mark the parameters you want to scan (they’re all selected by default), and right click and select “Actively scan defined insertion points.” Unfortunately, Intruder did not recognize the nested parameter-value sets and instead marked the entire set of values after
&NestedParameter as one value.
Intruder Doesn’t Recognize Nested Parameters
Initially, I tried to select each individual value by hand. With small sets, this was easy. With large sets, it was quite a chore. Given the number of pages in this application, I knew I had to find a better way. Once again, Tim Tomes came to the rescue with some great knowledge.
The character that marks the beginning and end of a parameter value in Intruder is the subsection sign. Tim suggested just copying the request from Intruder into a text editor and doing a quick search and replace to mark the values I wanted to target. Genius! All I needed to do was search for | and insert a § before and after the value and add § before every #. A quick regex
s/|\(\d*\)/|§\1§/g fit the bill perfectly. After removing the original nested parameter and pasting in the regex’ed one, the resulting nested parameter looked like
&NestedParameter=1|§0§|§0§|§0§|§0§|§5§#2|§0§|§0§|§0§|§0§|§17§. Problem solved!
Nested Parameters Marked
Even though I knew that Intruder used the subsection sign to mark insertion points, it never occurred to me that I could mark parameters in this way. It’s just more proof that no matter how much you may know, there’s always more to learn!
Related StoriesView More
CLICK ON EVERYTHING (in Burp)
By Red Siege | October 5, 2023
In this blog post I wanted to share a few tips and tricks I’ve found in Burp that have really helped me in the past. Double Click and Right Click […]Learn More
Obfuscating Shellcode Using Jargon
By Red Siege | July 31, 2023
by Mike Saunders, Principal Security Consultant In a recent blog , we discussed how encrypting shellcode leads to increased entropy, which may result in your shellcode loader being blocked and/or […]Learn More
Browser Only Web Application Testing
By Red Siege | July 24, 2023
By: Ian Briley, Security Consultant Spoiler Alert: Burp is the number one tool most people use while testing web applications. If you want to be an open-source champion, ZAP from […]Learn More