ricardojba/poi-slinger

Extension not attacking the correct request parameters

slicingmelon opened this issue · 2 comments

slicingmelon commented

Hi,

First of all I would like to say that I was really excited to try this new extension. Very nice work!
I have encountered a few issues.

  1. The extensions does not have the option/is not able to inject in a specified parameter. In this manner it will inject payloads in all the parameters of the selected request. What if I have 10 parameters? In my case the endpoint had two parameters and only one was accepting serialized data. There is no point to attack the other ones.

  2. The extension also launches a full burp active scan. I just want to attack a specified parameter. I've noticed the scan runs under burp's Extension driven active audit. It should perform testing only on specified parameter(s) using the payloads from the .json file.

  3. I've noticed that it sends the payloads both URLencoded and base64encoded. I think it is better that we could choose from the context menu.
    eg: Send to poi-slinger -> base64 payloads
    -> URLencoded
    As such we split the estimated time in half. Normally we are aware if the endpoint accepts base64encoded or URLencoded data.

  4. I was testing on an endpoint and the base request was a HTTP request. After I sent the request to poi-slinger, the extension started to perform requests over HTTPS. It should stick to the base request protocol. In this case I had to use an extra extension to force a redirect from HTTPS to HTTP.

ricardojba commented

Hi,
Sorry for the late response and thank you for taking the time to test the extension.
I'm going to try and address the issues you pointed out as soon as I have some spare time.

ricardojba commented

Hi,

I tested the point 4 of your feedback and was not able to reproduce it with the original code. I did a small code change, but saw no different results. I've reverted the change, since the original code is working.

Regarding the scanning of selected parameters (point 1 and 2), you can do this by importing the request to Intruder, set the desired injection points, right click the request and select Scan defined insertion points. This is a long time supported feature of Burp Intruder.

Finally point number 3 I will make a note to introduce this improvement in the future when I have a bit more time.

Thank you for the feedback and testing.