The application I’m running a security assessment on encodes POST requests as follows:
POST /foo/save HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 6652
<snip>
bar={"options"%3a{"key"%3a"26b678c6-1d75-41c0-8a20-d9882828c76c","description"%3a"Foo"...<snip>&key=26b678c6-1d75-41c0-8a20-d9882828c76c
i.e. A parameter containing JSON is inserted in the bar key, therefore it is JSON encoded and then percent encoded.
Is there a way to automatically encode payloads using Burp for use in Intruder? The only way that comes to mind is to run payloads through JavaScript hex encoding first, then load the encoded list into Burp and then URL-encode from there. Is there anything built in that would do this? The closest I found was “Javascript constructed string”, however this is not suitable for use in JSON.
So to summarise I need the payload to be JSON hex entity encoded then URL encoded (Burp easily does the latter, so the JSON encoding is the bit I need).