Quick-Hit: Editing Submissions in BurpSuite

Let’s say you’re running some tests on a service and want to use some characters that aren’t standard in your systems’ character set.  How do you do that?

First up, figure out what characters you want to send.  For the purposes of this demonstration I’ll be using the Kanji for “First Order” which is 部首順 (and not related to Star Wars, but we can pretend).

Next, find the actual bytes used to represent this.  One of the easiest ways is to search Google for a page contain the characters, then hexdump the result.  For this approach you can do it as follows (assuming you’re using Linux, which is my global assumption):

  1. Navigate to a page with the character(s) on it.  I’m using Encodings of Japanese for this example.
  2. Note what text is right near the character(s)
    QH-BSEdit_FindText
  3. Save the page as a file locally by right clicking and choosing “Save As…” (I’ll say it was saved as NonStandardChars.html)
  4. In a terminal grep for the text near the character(s) to isolate where they are
    QH-BSEdit_GrepForChars
  5. Add an “xxd” command to get the raw hex values
    QH-BSEdit_Add-xxd
  6. Review the results to find the non-printable character bytes in the expected position (in this case, it was “e9 83 a8 e9 a6 96 e9 a0 86”, and I added the -c 30 to make it easier to read)

Or you could just reference the definitions themselves  if you want to be more holistic about it. 🙂

Now we need to add them to our query.  In this case I’m using the W3 Schools online tutorial on posting to a form if you want to try it yourself.  First we capture the request in BurpSuite, same as normal, then send it to Repeater ( you could of course edit this during an intercept as well, but Repeater is easier in my opinion).

To add the non-printable characters just do the following:

  1. Determine how many bytes will be used by the target characters (9 bytes in my example above).
  2. Make sure you have something to easily replace in your request, such as capital letter D (which convenietly becomes “44” in hex), and that you have enough of them to cover the new content (e.g. “DDDDDDDDD” for this case)
  3. Click on the “Hex” tab in your request pane of BurpSuite and find the text to replace.
    QH-BSEdit_HexChange
  4. Edit the individual bytes to the hex values you noted in step 6 above.
    QH-BSEdit_NonStdCharsInserted
  5. Submit for great #VictoryQH-BSEdit_FinalForSubmission

That’s it!  Good Hunting!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by WordPress.com.

Up ↑

%d bloggers like this: