Burp Suite: Safe URL Encoding of Request Bodies

TL;DR

URL encoding request bodies in Burp Suite is generally safe and often necessary to handle special characters. However, it’s crucial to understand what you’re encoding and why. Incorrect or excessive encoding can lead to vulnerabilities or broken applications. Always test thoroughly after making changes.

Understanding URL Encoding

URL encoding (also known as percent-encoding) replaces unsafe characters in a URL with a % followed by two hexadecimal digits representing the ASCII code of that character. For example, a space is encoded as %20. This is necessary because URLs have restrictions on which characters they can contain.

Why Encode Request Bodies?

You might need to encode request bodies in Burp Suite for these reasons:

• Special Characters: If your request body contains characters like spaces, ampersands (&), equals signs (=), plus signs (+), or other special symbols that have meaning within URLs or HTTP.
• Non-ASCII Characters: To ensure proper transmission of characters outside the basic ASCII range (e.g., accented letters, Chinese characters).
• Data Integrity: Some applications expect data to be encoded in a specific way.

How Burp Suite Handles Encoding

Burp Suite provides several ways to encode request bodies:

• Manual Encoding: You can manually replace characters with their URL-encoded equivalents in the request editor. This is rarely recommended as it’s error prone.
• Repeater/Intruder: Burp Suite automatically handles encoding when you modify requests and resend them. It usually does a good job, but always verify.
• Encoder Tool: The ‘Encoder’ tool (accessible from the main menu) allows you to encode or decode specific parts of your request. This is useful for targeted encoding/decoding.

Step-by-Step Guide to Encoding in Burp Suite

1. Identify the Need: Determine if encoding is necessary. Look at the application’s behaviour when sending unencoded data. Does it break? Are characters being misinterpreted?
2. Use the Encoder Tool (Recommended):
   • Go to Proxy > Tools > Encoder.
   • Select ‘URL Encode’.
   • Paste the request body segment you want to encode into the input field.
   • The encoded output will appear in the output field.
   • Copy and paste the encoded data back into your Burp Suite request editor (Repeater, Intruder, etc.).
3. Test Thoroughly: After encoding, send the modified request to the application.
   • Verify that the application processes the data correctly.
   • Check for any unexpected behaviour or errors.
   • Compare the results with the original (unencoded) request if possible.

Potential Risks and How to Avoid Them

• Double Encoding: Encoding data multiple times can cause issues. Ensure you’re only encoding when necessary, and avoid redundant encoding.
• Incorrect Encoding: Using the wrong encoding scheme (e.g., using URL encoding where JSON encoding is required) will break the request.
• Vulnerabilities: While encoding itself isn’t a vulnerability, it can sometimes mask underlying issues. For example, if an application doesn’t properly sanitize input after decoding, it could be vulnerable to injection attacks.

Example

Let’s say you want to send the following data in your request body:

name=John Doe&city=London

The ampersand (&) needs to be encoded. Using Burp Suite’s Encoder tool, you would encode it as follows:

name=John%20Doe&city=London

Now the request body is safe for transmission.

cyber security Considerations

Always remember that encoding is a part of data preparation, not a replacement for proper input validation and output sanitization. Ensure your application’s backend handles encoded data securely to prevent cyber security vulnerabilities like cross-site scripting (XSS) or SQL injection.