Burp Scanner: Auto URL Encode

TL;DR

Automatically URL encode Burp Scanner requests to find more vulnerabilities. This guide shows you how to configure a Burp Suite extension to do this.

Step-by-step Guide

1. Install the Extension: You’ll need an extension that handles URL encoding before sending requests to the scanner. A popular choice is “Encoder”. You can install it from BApp Store within Burp Suite.
2. Configure Encoder (if needed):
   • Go to Burp > Extender.
   • Select ‘Encoder’ in the list of installed extensions.
   • Click on ‘Options’.
   • Ensure that URL encoding is enabled and configured as you need it (e.g., percent-encoding). The default settings are usually fine.
3. Configure Burp Scanner to use the Encoder: This step depends slightly on your version of Burp Suite, but generally involves setting up a ‘Macro’.
   • Go to Burp > Settings.
   • Select ‘Scanner’ in the left-hand menu.
   • Navigate to the ‘Request Templates’ tab.
   • Click on ‘Add’. Give your macro a descriptive name (e.g., “URL Encode”).
   • In the ‘Macro Description’, add the following code:

     macroName = "URL Encode";
     requestTemplate = request;
     encodedRequest = urlEncode(requestTemplate);
     return encodedRequest;

4. Apply the Macro to Scan Configurations: Now you need to tell Burp Scanner when to use your new macro.
   • In Burp > Settings, go back to ‘Scanner’.
   • Select the ‘Scan Configurations’ tab.
   • Edit the scan configuration(s) you want to modify (e.g., “Default Scan Configuration”).
   • Go to the ‘Request Templates’ section within the scan configuration settings.
   • Add a new request template entry.
     • Name: Give it a name like “Encoded URL”.
     • Macro: Select the “URL Encode” macro you created earlier.
     • Match and Replace Rules: This is where you define *which* requests get encoded. A simple rule to encode all URLs is:

       .*

       (This will apply the encoding to every request.) You can use more specific regular expressions here if you only want to encode certain parts of the URL or requests with particular characteristics.

5. Run Your Scan: Start a new scan, or re-run an existing one. Burp Scanner will now automatically URL encode the requests according to your configuration.
6. Review Results: Check the scanner results for any newly discovered vulnerabilities that were found due to the URL encoding. Pay attention to encoded characters in the request URLs and parameters.

Important Considerations

• False Positives: URL encoding can sometimes lead to false positives, so carefully review the scanner results.
• Performance Impact: Encoding every request might slightly slow down your scan. Use specific match and replace rules to minimize this impact.
• Regular Expression Accuracy: Ensure that your regular expressions are accurate to avoid unintended encoding of requests.