During a recent web app engagement, I wanted to run some of the Burp Scanner automated checks, but I was confronted with several issues. First, this particular application did not respond kindly to manipulation of the session cookies. The application and its single sign on solution issued a number of session cookies. Manipulation of any of the session cookies resulted in expiration of all session cookies. Although it’s configurable, Burp’s scanner runs tests against cookies by default.

The application also contained what I will call nested parameters. These nested parameters were in the form &NestedParameter=0|0|0|0|0|5#1|0|0|0|0|17... This appeared to be sets of parameters nested inside one parameter, where 0| was the parameter name and 0|0|0|0|5 were values for that parameter. The # was used to separate each set of nested parameters.

Example of Nested Parameters

I wanted to be able to run an automated scan against all of the different nested parameters, but some requests contained upwards of 30 parameter sets. I also needed to avoid testing the session cookies so I didn’t get logged out. If you’ve watched Tim Tomes‘ excellent talk from DerbyCon VII, you know that Burp’s Intruder is a great way to do targeted scanning of parameters. Just send the request to Intruder, mark the parameters you want to scan (they’re all selected by default), and right click and select “Actively scan defined insertion points.” Unfortunately, Intruder did not recognize the nested parameter-value sets and instead marked the entire set of values after &NestedParameter as one value.

Intruder Doesn’t Recognize Nested Parameters

Initially, I tried to select each individual value by hand. With small sets, this was easy. With large sets, it was quite a chore. Given the number of pages in this application, I knew I had to find a better way. Once again, Tim Tomes came to the rescue with some great knowledge.

The character that marks the beginning and end of a parameter value in Intruder is the subsection sign. Tim suggested just copying the request from Intruder into a text editor and doing a quick search and replace to mark the values I wanted to target. Genius! All I needed to do was search for | and insert a § before and after the value and add § before every #. A quick regex s/|\(\d*\)/|§\1§/g fit the bill perfectly. After removing the original nested parameter and pasting in the regex’ed one, the resulting nested parameter looked like &NestedParameter=1|§0§|§0§|§0§|§0§|§5§#2|§0§|§0§|§0§|§0§|§17§. Problem solved!

Nested Parameters Marked

Even though I knew that Intruder used the subsection sign to mark insertion points, it never occurred to me that I could mark parameters in this way. It’s just more proof that no matter how much you may know, there’s always more to learn!