search

PortSwigger / param-miner

https://portswigger.net/blog/practical-web-cache-poisoning
Other
1.23k stars 166 forks source link

Add custom param value #29

Open MMquant opened 4 years ago

MMquant commented 4 years ago

It would be nice if you could pass arbitrary param value instead using just wrtqva<random>. The idea is that I would like to fuzz for blind SSRF during header discovery so I would like to pass <random>.brp.mmquant.net as the header value.

I tried to modify code in

ParamGuesser.java:249
ParamGuesser.java:587
Attack.java:31
Utilities.java:771

Compiled and then copied

ParamGuesser.class
Attack.class
Utilities.class

to /root/.BurpSuite/bapps/<appId>/build/libs/burp/<classFile> but I'm unable to get it to work as param-miner still fuzzes with wrtqva<random> string. *( I'm not JAVA dev :) )

albinowax commented 4 years ago

To apply any source changes you just need to run 'gradle build fatjar' then load the resulting jarfile into Burp.