how to replace json values ?

[JaveleyQAQ]

I want to loop payload into all the JSON values

[genuinemoses]

Hi @JaveleyQAQ, maybe you're looking for something similar to the following:

define:
  payload = "PAYLOAD_TO_INSERT"

given request then
  send request
    replacing body: `{"key_1": "{payload}", "key_2": "{payload}"}`

Hope this helps!

[JaveleyQAQ]

Yes. But I think I don't know the key names and quantities for JSON. I found the loop method, given query or body insertion point, but it seems to have failed. It matched the cookie parameters, sent extra requests, and did not correctly insert my payload.

[olliewuk]

Have you tried changing the given query or body insertion point to either

• given query or body or cookie insertion point (as it looks like you want your payload in a cookie?)
  or
• given request per this example? https://github.com/PortSwigger/BChecks/blob/main/examples/server-side-prototype-pollution.bcheck

[JaveleyQAQ]

thank your rep@olliewuk Here is another question:

defind:
    a = `{random_str(5)}`

if {latest.response} matches "`{a}`" then

, why does it fail to match? What should I do to make it match successfully?

[JaveleyQAQ]

Have you tried changing the given query or body insertion point to either您是否尝试将 given query or body insertion point 更改为

• given query or body or cookie insertion point (as it looks like you want your payload in a cookie?) given query or body or cookie insertion point （因为看起来你想在cookie中添加有效负载？）
  or  或
• given request per this example? https://github.com/PortSwigger/BChecks/blob/main/examples/server-side-prototype-pollution.bcheck given request 这个例子？https://github.com/PortSwigger/BChecks/blob/main/examples/server-side-prototype-pollution.bcheck

I don't want to insert payloads in the cookies. My code is using "given query or body insertion point", but it's scanning the cookie parameters and sending a lot of useless requests even though it's not inserting any payload.

[genuinemoses]

thank your rep@olliewuk Here is another question:

defind:
    a = `{random_str(5)}`

if {latest.response} matches "`{a}`" then

, why does it fail to match? What should I do to make it match successfully?

I think there are typos and formatting issues, try with the following code block:

define:
    a = {random_str(5)}

if {latest.response} matches {a} then

[A-J-C]

@JaveleyQAQ unfortunately we don't currently support variables within regex matching. We can note it as a feature request if you would like this supported?

Instead, you could use if {a} in {latest.response} as the in keyword does support variables.

As to better json support, we also have only basic full body insertion point currently available to BChecks, with potential regex replace rules being used to work around it (as seen in the server side pollution check Ollie shared). If you would like this feature we could also note it?

[JaveleyQAQ]

@A-J-C @olliewuk @genuinemoses Thank you very much for your collaboration! https://github.com/smxiazi/xia_sql/blob/main/BurpExtender.java I want to implement a plugin with a bc passive script, but I'm having trouble with JSON matching . I think I need to spend some time understanding examples of server side pollution.

[abdilahrf]

I think now its not possible to replace JSON Payload automatically.

[Michelle-PortSwigger]

That's not currently possible. We'll add your vote for this feature.

[JaveleyQAQ]

That's not currently possible. We'll add your vote for this feature.
Where will the vote be held?

[Michelle-PortSwigger]

Hi

You don't need to go anywhere to vote. When someone requests a new feature, we raise it here, and when additional people also express interest in it, we make a note of that, too, so we can see how many people are interested in the feature to help us prioritize ideas. Your votes are already logged against the feature request. We've done that for you. Sorry for any confusion!

[JaveleyQAQ]

Hi 

You don't need to go anywhere to vote. When someone requests a new feature, we raise it here, and when additional people also express interest in it, we make a note of that, too, so we can see how many people are interested in the feature to help us prioritize ideas. Your votes are already logged against the feature request. We've done that for you. Sorry for any confusion!

Thanks, very much looking forward to this feature!