Ever been beating your head against a WAF and wished there was a quick way to test every single character against it?
Well if you have Burp Intruder, you can do so with a couple of quick settings.
URL Encoded Characters — ASCII
- Put an % before your injection point
2. Payload Type: Brute forcer
Shorten your character set to a-f and 0–9
Set Min/Max to 2
