Skip to content

V3.0.0 - The Embedded JSON Handler

Latest
Latest

Choose a tag to compare

View all tags
@zinja-coder zinja-coder released this 21 Feb 08:41
· 3 commits to main since this release
v3.0.0
061444f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights

  1. Embedded JSON (JSON inside JSON-string) now gets insertion points inside the embedded object/array, not just on the outer string.

    • Example:
      • Input body:
        {"embedded":"{\"json\":\"thisisembedded\",\"key\":1}"}
      • Expected insertion points include:
        • thisisembedded
        • 1

  2. Empty-value handling via DELETE_ME placeholder (Montoya requires non-zero length insertion ranges).

    • Example (query/form/plain):
      • Input: data=&x=1
        • Sent to Intruder as: data=__DELETE_ME__&x=1
        • Expected insertion points include:
          • __DELETE_ME__
          • 1
    • Example (JSON empty string):
      • Input body:
        • {"data":"","ok":"yes"}
      • Sent to Intruder as:
        • {"data":"__DELETE_ME__","ok":"yes"}
      • Expected insertion points include:
        • __DELETE_ME__
        • yes

Changes

  • Updated Montoya API dependency to 2026.2.
  • Modular refactor: core logic moved under com.netsquare.autopayloadpositioner.* while keeping com.netsquare.AutoPayloadPositioner as the Burp entrypoint.
  • Improved overlap handling so smaller “inner” insertion points (like embedded JSON values) are not dropped.

Testing

  • Added tests.md with copy/paste regression cases and expected insertion points (embedded JSON + __DELETE_ME__ included).

Checksum SHA256:

  • AutoPayloadPositioner-v3.0.0.jar: 1c4ea7941c16a6917d5dbbae0cefbabb45f8bb7f3e19bdc3db020a238a0fa46d
Assets 3
Loading