Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Posting nested JSON data will post a broken mix of json_encoded and dict's str() representation #151

Open
manuelbua opened this issue Jun 24, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@manuelbua
Copy link

commented Jun 24, 2019

Context

Please check:

  • I've read the docs for Wfuzz

Please describe your local environment:

Wfuzz version: Output of wfuzz --version
wfuzz 2.4

Python version: Output of python --version
Python 2.7.16

OS: Kali Linux Rolling (latest)

Report

What is the current behavior?

Posting nested JSON data will actually post JSON-encoded data at the outer level, but Python dictionary's str repr encoded data at the inner level. For example:

Posting -d '{"test": "me", "another": "1"}' will send {"test": "me", "another": "1"} as expected.
Posting -d '{"test":"me","another":1,"nested":{"this":2}}' will wrongly send {"test": "me", "another": "1", "nested": "{u'this': 2}"}.

What is the expected or desired behavior?

Posting -d '{"test":"me","another":1,"nested":{"this":2}}' should actually send {"test": "me", "another": "1", "nested": {"this": 2}}.

Please provide steps to reproduce, including exact wfuzz command executed and output:

wfuzz -u <url> -H "Content-Type: application/json" -X POST -d <data>

Other relevant information:

There is an hacky way around this, and switching the casing in Application/json is enough to have the src/wfuzz/externals/reqresp/Request::setPostData method to set the data as _non_parsed_post:

wfuzz -u <url> -H "Content-Type: Application/json" -X POST -d <data>

However, some picky webservers will actually look for the lowercase version only.

@darrynten

This comment has been minimized.

Copy link

commented Jul 4, 2019

Seeing this on 2.4 too, things get weird as soon as a FUZZ is nested inside another object

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.