Professional Community

JSON Unicode-Escaper

This extension provides UTF-8 JSON Unicode-escaping/unescaping capabilities, as defined in RFC 8259 Section 7.

Features

  • Manual Escaper/Unescaper Tab: For escaping and unescaping data manually in a custom Decoder-like tab. Functionality for pasting in files for escaping/unescaping, as well as functionality for copying escaped/unescaped data to files, is included.
  • Context Menu Items: For escaping and unescaping data in requests/responses on-demand, as well as for sending highlighted text directly to the manual Escaper/Unescaper tab.
  • Intruder Payload Processors: For automatically escaping and unescaping payloads during Intruder attacks.

Usage

Manual Escaper/Unescaper Tab

Location: "JSON Unicode-Escaper" tab in Burp Suite.

Input Options

  • Paste from Clipboard: Use Ctrl+V or click the Paste From Clipboard button.
  • Send from Context Menu: Highlight text, right-click, and select Send to Manual Escaper/Unescaper.
  • Paste From File: Use the Paste From File button.

Processing

Select an escaping/unescaping method from the dropdown. The processed result will appear in the output area.

Output Options

  • Copy to Clipboard: Highlight and press Ctrl+C or use the Copy Output To Clipboard button.
  • Copy to File: Use the Copy Output To File button.

Context Menu Integration

This extension adds right-click context menu options for requests and responses.

  • Editable Fields: Selected text is replaced with the escaped/unescaped result.
  • Read-Only Fields: A popup window displays the result for manual copying.
  • Send to Escaper/Unescaper: Sends highlighted data to the dedicated tab.

Note: Context menu options are not available in Intruder -> Payloads.

Intruder Payload Processing

Setup

  1. Configure your Intruder attack normally.
  2. Under Payloads -> Payload Processing, click Add -> Invoke Burp Extension.
  3. Select the desired escape/unescape method from the dropdown.

Payloads are automatically processed by the extension before being sent during the attack.

Note: Avoid changing custom escape character settings during an active attack.

Available Methods

  • JSON-unescape: Unescapes characters like \n or \u0022. Invalid sequences are left unchanged.
  • JSON-escape key chars: Escapes control characters, quotes, backslashes, and some high-ASCII characters.
  • JSON Unicode-escape key chars: Same as above, but uses Unicode format (e.g., \u000a).
  • JSON Unicode-escape all chars: Escapes every character using Unicode format.
  • JSON Unicode-escape custom chars: Escapes only user-specified characters. Configurable in the Settings tab.

Settings Tab Overview

JSON Unicode-escape Custom Chars Configuration

  • Characters: Directly input specific characters to escape. Updates in real time.
  • Hexadecimal Ranges: Use 4-digit hex codes (e.g., 003c) or ranges (e.g., 0030-003f). Requires clicking the Update button.
  • Switching between modes automatically converts values between characters and hex.
  • Input is validated with errors highlighted. Sorting and deduplication are built-in.
  • Optionally include JSON key characters (0x00-0x1F, double quote, backslash) using a checkbox.

Note: These options are updated live and may impact ongoing Intruder attacks.

Global Settings

  • Fine-tune Unescaping: Helps avoid errors when processing partially unescaped input.
  • Verbose Logging: Adds additional output to Extender -> Output/Errors tabs.

Import, Export, Reset

  • Export: Save current settings to a JSON file.
  • Import: Load a settings file into the extender.
  • Reset: Restore all settings to their default state.

Note: Invalid JSON input is rejected. Errors appear in the UI and Extension -> Errors tab.

Author

Author

Jeffrey Cap

Version

Version

0.2

Rating

Rating

Popularity

Popularity

Last updated

Last updated

27 March 2025

Estimated system impact

Estimated system impact

Overall impact: Empty

Memory
Empty
CPU
Empty
General
Empty
Scanner
Empty

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.