Closed JaveleyQAQ closed 6 days ago
Sorry, I'm not sure I understand you. Can you let me know which type of attack you are running, provide a screenshot of your Param Miner settings, and a screenshot that shows the unexpected result?
Sorry, I'm not sure I understand you. Can you let me know which type of attack you are running, provide a screenshot of your Param Miner settings, and a screenshot that shows the unexpected result?
Unfortunately I can't load this link.
Unfortunately I can't load this link.
When you cancel the request parameters, they still appear in the GET request.
Ahh thanks. This is the intended behaviour. 'params: query' refers to whether it attempts to scan existing query parameters. The parameter that you are observing in the query is just a a cache-buster.
Ahh thanks. This is the intended behaviour. 'params: query' refers to whether it attempts to scan existing query parameters. The parameter that you are observing in the query is just a a cache-buster.
In the latest version, I can't find this JSON param option. If I don't want a random parameter to be inserted into the query, how should you configure it?
'Lab: Exploiting a mass assignment vulnerability' In this lab, I'm unable to complete it using this extension because the parameter in the query is not being parsed.
Sorry, this isn't currently possible but I'll fix it for you
The attached release should fix this if you uncheck the new include query-param in cachebusters
checkbox, can you test it? https://github.com/PortSwigger/param-miner/releases/tag/v1.5
The issue has been addressed, however, I encountered an error during the vulnerability scan.
Using albinowaxUtils v1.4 This extension should be run on the latest version of Burp Suite. Using an older version of Burp may cause impaired functionality. Loaded Param Miner v1.5 Updating active thread pool size to 8 Loop 0 Loop 1 Queued 1 attacks from 1 requests in 0 seconds Unrecognised type: 6 Initiating json bruteforce on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_products:[0]:quantity~1 Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace. Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_products:[0]:product_id~1 Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace. Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_discount Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace. Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_products Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace. Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_products:[0] Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace. Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_products:[0]:item_price Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace.
That one was pretty harmless but I've fixed it anyway: https://github.com/PortSwigger/param-miner/releases/tag/v1.51
When I deselect 'params: query', the feature does not take effect, and the query parameters are still included in the request.