Hello PortSwiggers! Thank you for the opportunity to have a crack at this test. Below, you will find my observations about this task, and questions I would ask a subject-matter expert.
Observations about the developer’s notes
The SQL statement was presented inconsistently. A screenshot provided by the developer provided the correct statement, which included --.
The developer notes guided me to installing the plugin in the middle of the example. While hardly a showstopper, it seems simpler and cleaner to install the plugin prior to starting the example.
Inconsistent and incorrect spelling of ‘Hackvertor’.
The developer neglects to mention that Burp processes this statement differently depending on the HTTP protocol being used.
HTTP/2 truncates the SQL statement after the first space in the statement.
HTTP/1.1 does not. Developer screenshots indicate to use HTTP 1.1 for this example.
Justification and challenges
Hackvertor provided a number of considerations and challenges:
A number of tags seem self explanatory, but felt a basic user guide wouldn’t need to explain tag. It was assumed that users at this level would primarily seek out Hackvertor to inject tags they already know. A limited tag list was taken and edited from another source.
For custom tag creation, the absence of J2V8 on my machine caused this to fail. Documentation regarding custom tags was based on an example provided on an example provided by developer Gareth Hayes — but is currently unverified:
The SQL example, while not entirely relevant to the core functionality of Hackvertor, might be a good starting point for those wanting to try the extension in a working scenario. It allows those who want to learn via ‘show, not tell’ or ‘hands on’ to get to grips with Hackvertor.
Burp Suite Academy Lab URLs frequently fail due to unavailability.
It wasn’t entirely clear whether or not Hackvertor provides a shortcut to inserting tags (instead of typing them manually), or gave Burp the ability to process those tags. To confirm this, manual insertion of tags without Hackvertor installed was tested.
It’s not clear whether or not ‘Encode’ is a blanket term for all tags included within Hackvertor. For example, <@length> could be described as a ‘Transform’. For the purposes of this draft, ‘Encode’ is used as a blanket term, with intermittent reference to ‘Transform’.
Burp Scanner has not been included in this guide, as related Hackvertor functionality does not appear to be available in Burp Suite Community Edition.
Why is HTTP traffic with spaces — such as the SQL statements provided — truncated when HTTP/2 protocol is used?
When using a non-temporary project in the full version of Burp Suite, does Hackvertor tabs retain their contents between sessions?
It’s not clear why I have the right-click option to insert tags into HTTP traffic in the Intruder tab — when this appears to be configured in the Payloads section.
Why is auto-decrypt automatically applied when transferring HTTP traffic from Burp Suite tab to a Hackvertor tab? Is the expectation that HTTP traffic would be sent for decoding?
Can the contents of tabs in the Hackvertor area of Burp Suite be saved in the complete Burp Suite?
What does each tag do? At the moment, I have borrowed information from a much older source. In a real-world scenario, I would look to capture what each tag can do (though may not surface all of them in the documentation).