JSON Unicode-Escaper

This extension provides UTF-8 JSON Unicode-escaping/unescaping capabilities, as defined in RFC 8259 Section 7.

Features

• Manual Escaper/Unescaper Tab: For escaping and unescaping data manually in a custom Decoder-like tab. Functionality for pasting in files for escaping/unescaping, as well as functionality for copying escaped/unescaped data to files, is included.
• Context Menu Items: For escaping and unescaping data in requests/responses on-demand, as well as for sending highlighted text directly to the manual Escaper/Unescaper tab.
• Intruder Payload Processors: For automatically escaping and unescaping payloads during Intruder attacks.

Usage

Manual Escaper/Unescaper Tab

Location: "JSON Unicode-Escaper" tab in Burp Suite.

Input Options

• Paste from Clipboard: Use Ctrl+V or click the Paste From Clipboard button.
• Send from Context Menu: Highlight text, right-click, and select Send to Manual Escaper/Unescaper.
• Paste From File: Use the Paste From File button.

Processing

Select an escaping/unescaping method from the dropdown. The processed result will appear in the output area.

Output Options

• Copy to Clipboard: Highlight and press Ctrl+C or use the Copy Output To Clipboard button.
• Copy to File: Use the Copy Output To File button.

Context Menu Integration

This extension adds right-click context menu options for requests and responses.

• Editable Fields: Selected text is replaced with the escaped/unescaped result.
• Read-Only Fields: A popup window displays the result for manual copying.
• Send to Escaper/Unescaper: Sends highlighted data to the dedicated tab.

Note: Context menu options are not available in Intruder -> Payloads.

Intruder Payload Processing

Setup

1. Configure your Intruder attack normally.
2. Under Payloads -> Payload Processing, click Add -> Invoke Burp Extension.
3. Select the desired escape/unescape method from the dropdown.

Payloads are automatically processed by the extension before being sent during the attack.

Note: Avoid changing custom escape character settings during an active attack.

Available Methods

• JSON-unescape: Unescapes characters like \n or \u0022. Invalid sequences are left unchanged.
• JSON-escape key chars: Escapes control characters, quotes, backslashes, and some high-ASCII characters.
• JSON Unicode-escape key chars: Same as above, but uses Unicode format (e.g., \u000a).
• JSON Unicode-escape all chars: Escapes every character using Unicode format.
• JSON Unicode-escape custom chars: Escapes only user-specified characters. Configurable in the Settings tab.

Settings Tab Overview

JSON Unicode-escape Custom Chars Configuration

• Characters: Directly input specific characters to escape. Updates in real time.
• Hexadecimal Ranges: Use 4-digit hex codes (e.g., 003c) or ranges (e.g., 0030-003f). Requires clicking the Update button.
• Switching between modes automatically converts values between characters and hex.
• Input is validated with errors highlighted. Sorting and deduplication are built-in.
• Optionally include JSON key characters (0x00-0x1F, double quote, backslash) using a checkbox.

Note: These options are updated live and may impact ongoing Intruder attacks.

Global Settings

• Fine-tune Unescaping: Helps avoid errors when processing partially unescaped input.
• Verbose Logging: Adds additional output to Extender -> Output/Errors tabs.

Import, Export, Reset

• Export: Save current settings to a JSON file.
• Import: Load a settings file into the extender.
• Reset: Restore all settings to their default state.

Note: Invalid JSON input is rejected. Errors appear in the UI and Extension -> Errors tab.