V3.0.0 - The Embedded JSON Handler

Highlights

1. Embedded JSON (JSON inside JSON-string) now gets insertion points inside the embedded object/array, not just on the outer string.

   • Example:
     • Input body:
       {"embedded":"{\"json\":\"thisisembedded\",\"key\":1}"}
     • Expected insertion points include:
       • thisisembedded
       • 1

2. Empty-value handling via DELETE_ME placeholder (Montoya requires non-zero length insertion ranges).

   • Example (query/form/plain):
     • Input: data=&x=1
       • Sent to Intruder as: data=__DELETE_ME__&x=1
       • Expected insertion points include:
         • __DELETE_ME__
         • 1
   • Example (JSON empty string):
     • Input body:
       • {"data":"","ok":"yes"}
     • Sent to Intruder as:
       • {"data":"__DELETE_ME__","ok":"yes"}
     • Expected insertion points include:
       • __DELETE_ME__
       • yes

Changes

• Updated Montoya API dependency to 2026.2.
• Modular refactor: core logic moved under com.netsquare.autopayloadpositioner.* while keeping com.netsquare.AutoPayloadPositioner as the Burp entrypoint.
• Improved overlap handling so smaller “inner” insertion points (like embedded JSON values) are not dropped.

Testing

• Added tests.md with copy/paste regression cases and expected insertion points (embedded JSON + __DELETE_ME__ included).

Checksum SHA256:

• AutoPayloadPositioner-v3.0.0.jar: 1c4ea7941c16a6917d5dbbae0cefbabb45f8bb7f3e19bdc3db020a238a0fa46d

v2.0.0 New Options

What's New

Multiple Payload Positioning Modes

Previously, the extension used a single "one-size-fits-all" approach. Now you can choose from 10 different modes to match your specific testing needs:

Core Options

• Default (No HTTP Method) - Parameters, body, headers, and URL path (last part only)
• Default + Full URL Path - Same as default but targets the entire URL path
• Everything - Includes HTTP method + all default positions
• Everything + Full URL Path - Complete coverage including HTTP method and full URL path

Headers-Focused Options

• Headers Only - Target only HTTP headers for focused header testing
• Headers + Method - Headers plus HTTP method
• Headers + URL Path Last Part - Headers plus the last segment of URL path
• Headers + URL Path Last Part + Method - Headers, URL path segment, and HTTP method
• Headers + Full URL Path - Headers plus complete URL path
• Headers + Full URL Path + Method - Maximum coverage with headers, full URL path, and HTTP method

Why This Matters

Better Testing Precision

• Focused Testing: Choose exactly what you want to test instead of everything at once
• Reduced Noise: Avoid unnecessary payload positions that don't match your test case
• Faster Results: Fewer payload positions mean faster Intruder runs

How to Use

• Right-click on any HTTP request in Burp Suite
• Select from the 10 available payload positioning modes
• The request will be sent to Intruder with payloads positioned according to your selection
• Run your attack with precise payload placement

Migration Notes

• Existing Users: The extension now defaults to "Default (No HTTP Method)" mode, which is similar to the previous behavior but excludes HTTP method positioning
• No Breaking Changes: All existing functionality remains intact
• Backward Compatibility: Previous behavior can be achieved using "Everything" mode

Technical Improvements

• Enhanced context menu with clear mode descriptions
• Optimized payload positioning logic for better performance
• Improved error handling for complex request formats
• Better thread management for processing multiple requests

Checksum

• AutoPayloadPositioner-v2.0.0.jar: sha256:15a17d9323128b95c42891791fe6b670d995712754473eb4e70804bb8899e368

v1.0.0

v1.0.0 Release, Read README for more info.