search

PortSwigger / param-miner

https://portswigger.net/blog/practical-web-cache-poisoning
Other
1.2k stars 163 forks source link

Parameter brute force cracking can see different responses, but the parameter miner did not report #51

Closed superboy-zjc closed 3 years ago

superboy-zjc commented 3 years ago

portswigger LAB:https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-unkeyed-query

My Setting: QQ图片20210318155350 Obvious result: QQ图片20210318155516 But no report。 plugin version: V1.27, burpsuite pro: 2012.2

albinowax commented 3 years ago

That request is not a parameter bruteforce probe, it's param-miner identifying how many params it can put in one request before the server gets upset