Tag Archives: burp

Testing uploads with Burp Intruder – Updated

Just updated my Intruder extension (described here) to provide two payload generators: the original one with the file contents and another one with the matching file name.

So, if you need both the content and file name in your Intruder attack, choose Pitchfork as the Attack type and use File as Payload for one Payload set and Filename as Payload for the other.

With this update you can synchronize the file name and its contents in the attack without much hassle, something that was not trivial in the previous version.

Testing uploads with Burp Intruder

While testing an file upload functionality with Burp’s Repeater I noticed the site response changed depending on the file being uploaded, which is normal if the server is validating the file headers.
After a few requests with different responses I got tired of doing this manually and decided to use Burp’s Intruder feature. I quickly noticed that there is no way of telling the Intruder to inject the contents of a list of files in the request.

So I wrote an extension that reads a folder files and feeds their content, one at a time, as a payload to use in the Intruder.
Suppose you have a folder with your best malicious files, zip and xml bombs, jpegs with other contents, php shells, etc. You point the extension to this folder and just use the Repeater normally, setting the payload source as being this extension.
If you need/want to synchronize the file contents with the file name, the extension tab shows the names of the files it just read so you can use them as payload for a second position in the request, using the pitchfork attack.

EDIT
There is a new version of the extension that provides two generators, one for the file name and other for the file contents, easing this synchronization process. See this update post.

Burp Intruder File Payload Extension tab

Choosing the input files

Configuring the Intruder

Configuring the Intruder

The extension is available here as a single jar. The code is available here.
I have submitted it to the BApp Store but it hasn’t been approved yet.

EDIT
Now available at the BApp Store, here :)

Enjoy.

B-Sides Lisbon is coming

The second edition of B-Sides Lisbon is coming! This security conference is happening at the 3rd of July in Lisbon and its a whole day event with two tracks of talks and some good discussions. And it is free!

Screen Shot 2015-01-29 at 21.39.40

The previous, and first edition, happened in 2013 and it was awesome. You can revisit the program here and search for the talks on Google (you will find some for sure).
With a quick search I found Bruno Morisson’s preso:


btw, he is also one of the organizers :)

I also did a presentation on how to start using Burp Suite, including a few tips to use it more efficiently:

Now that you know this years edition will be even better, go ahead and submit a talk here