openapi-parser icon indicating copy to clipboard operation
openapi-parser copied to clipboard
verified publisher icon aress31

When clicking "send to repeater" the generated request is application/x-www-form-urlencoded

Open eoftedal opened this issue 8 years ago • 4 comments

Steps to reproduce:

  1. Download http://petstore.swagger.io/v2/swagger.json
  2. Open swagger.json in Swagger Parser
  3. Find the POST /pet endpoint and click "send to repeater"
POST /v2/pet HTTP/1.1
Host: petstore.swagger.io
Accept: application/xml, application/json
Content-Type: application/json, application/xml

id={integer}&id={integer}&name={string}&name={string}&photoUrls={array}&tags={array}&status={string}

This is an application/x-www-form-urlencoded while content-type says application/json, application/xml

eoftedal avatar Dec 12 '17 13:12 eoftedal

@eoftedal, thanks for the feedback.

This behavior is expected, as you can see in the JSON swagger file at http://petstore.swagger.io/v2/swagger.json the pet endpoint produces and consumes data of type application/json, application/xml. Consequently, a work around for your use case would be to manually edit the Swagger file and replace application/json, application/xml with application/x-www-form-urlencoded if what you want is to change the Accept and Content-Type headers.

See the following screenshot. image

Hope my answer will help you.

aress31 avatar Dec 12 '17 13:12 aress31

If the endpoint consumes application/xml and application/json, why does swurg create a request of type application/x-www-form-urlencoded ? I would like swurg to put JSON in the body, not application/x-www-form-urlencoded when the content-type from swagger clearly says application/json. Is it because of the duplicate content-types ?

eoftedal avatar Dec 14 '17 08:12 eoftedal

@eoftedal that is a fair request, I will add it to the to do list.

Thanks, Alex

aress31 avatar Dec 14 '17 11:12 aress31

@eoftedal I rewrote swurg from scratch - the version 2.0 is out.

In this version, I use the official Swagger Parser Java library rather than my own implementation. I also use the IExtenderHelpers interface provided by the Burp Suite APIs to build the requests to send to the Active Scanner, Intruder and Repeater.

At the moment, the Burp Suite APIs does not enable adding in body JSON and XML parameters - read the following:

    /**
     * This method adds a new parameter to an HTTP request, and if appropriate
     * updates the Content-Length header.
     *
     * @param request The request to which the parameter should be added.
     * @param parameter An <code>IParameter</code> object containing details of
     * the parameter to be added. Supported parameter types are:
     * <code>PARAM_URL</code>, <code>PARAM_BODY</code> and
     * <code>PARAM_COOKIE</code>.
     * @return A new HTTP request with the new parameter added.
     */
    byte[] addParameter(byte[] request, IParameter parameter);

I added a post to the Burp Suite APIs repository asking whether they are planning to correct this. I am now waiting for an answer from them.

Best regards, Alex

aress31 avatar Jan 03 '18 02:01 aress31

https://github.com/aress31/swurg/commit/044ac747e10d5e19d18f50a00583bc16b37440e1

aress31 avatar Apr 04 '23 20:04 aress31