Closed JaveleyQAQ closed 6 days ago
albinowax
commented
2 weeks ago Sorry, I'm not sure I understand you. Can you let me know which type of attack you are running, provide a screenshot of your Param Miner settings, and a screenshot that shows the unexpected result?
JaveleyQAQ
commented
2 weeks ago Sorry, I'm not sure I understand you. Can you let me know which type of attack you are running, provide a screenshot of your Param Miner settings, and a screenshot that shows the unexpected result?
albinowax
commented
1 week ago Unfortunately I can't load this link.
JaveleyQAQ
commented
1 week ago Unfortunately I can't load this link.
When you cancel the request parameters, they still appear in the GET request.
albinowax
commented
1 week ago Ahh thanks. This is the intended behaviour. 'params: query' refers to whether it attempts to scan existing query parameters. The parameter that you are observing in the query is just a a cache-buster.
JaveleyQAQ
commented
1 week ago Ahh thanks. This is the intended behaviour. 'params: query' refers to whether it attempts to scan existing query parameters. The parameter that you are observing in the query is just a a cache-buster.
In the latest version, I can't find this JSON param option. If I don't want a random parameter to be inserted into the query, how should you configure it?
JaveleyQAQ
commented
1 week ago 'Lab: Exploiting a mass assignment vulnerability' In this lab, I'm unable to complete it using this extension because the parameter in the query is not being parsed.
albinowax
commented
1 week ago Sorry, this isn't currently possible but I'll fix it for you
albinowax
commented
1 week ago The attached release should fix this if you uncheck the new include query-param in cachebusters checkbox, can you test it? https://github.com/PortSwigger/param-miner/releases/tag/v1.5
JaveleyQAQ
commented
1 week ago The issue has been addressed, however, I encountered an error during the vulnerability scan.
Using albinowaxUtils v1.4 This extension should be run on the latest version of Burp Suite. Using an older version of Burp may cause impaired functionality. Loaded Param Miner v1.5 Updating active thread pool size to 8 Loop 0 Loop 1 Queued 1 attacks from 1 requests in 0 seconds Unrecognised type: 6 Initiating json bruteforce on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_products:[0]:quantity~1 Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace. Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_products:[0]:product_id~1 Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace. Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_discount Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace. Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_products Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace. Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_products:[0] Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace. Identified parameter on 0a67007904f03c3181089fbc00fa0054.web-security-academy.net: chosen_products:[0]:item_price Error in thread: class burp.JsonParamNameInsertionPoint cannot be cast to class burp.ParamNameInsertionPoint (burp.JsonParamNameInsertionPoint and burp.ParamNameInsertionPoint are in unnamed module of loader burp.Za99 @1bef10e3). See error pane for stack trace.
JaveleyQAQ
commented
1 week ago albinowax
commented
6 days ago That one was pretty harmless but I've fixed it anyway: https://github.com/PortSwigger/param-miner/releases/tag/v1.51
When I deselect 'params: query', the feature does not take effect, and the query parameters are still included in the request.