Burp Suite User Forum

Login to post

Ability to view the delay of a response in a column (Intruder)

Cristiano | Last updated: Jan 26, 2015 01:20PM UTC

May be very useful while testing for time based injection (sql, command, aso) to see the delay of a response returned by the remote webserver.

PortSwigger Agent | Last updated: Jan 26, 2015 01:53PM UTC

This information is already captured, but is hidden by default! You can turn it on using the Columns menu, and select "Response received" / "Response completed".

Burp User | Last updated: Feb 02, 2015 10:41AM UTC

Yeah indeed, but will be more useful to have a single column with the computed delay value

PortSwigger Agent | Last updated: Feb 02, 2015 11:21AM UTC

The two timers contain different information - the time taken for a response to start and finish, respectively. Some time-based attacks cause a delay before a response starts (if the whole server-side logic is executed first) while some cause a delay while the response is already being streamed (e.g. if the headers are sent first, and then some further server-side processing happens on your input). So we definitely wouldn't want to have a single column with only one of these bits of information. By "computed time delay", do you mean the difference between the current item's timer and the base response timer? Since this would simply mean subtracting a fixed value from every row in the table, I don't see that this would be any more useful than reporting the actual response times.

Burp User | Last updated: Feb 05, 2015 04:28PM UTC

make sense; now the logic behind the values reported in the two column is more clear to me. thanks

yashwanth | Last updated: Jun 16, 2020 11:25AM UTC

can you tell me what is response received and response completed ?are these terms related to server side or client side?please explain.

Uthman, PortSwigger Agent | Last updated: Jun 16, 2020 12:15PM UTC

Response received is the time taken to begin receiving a response, whilst response completed is the time taken for the response to complete. You can find out further information below: - https://portswigger.net/burp/documentation/desktop/tools/intruder/attacks

Ashok | Last updated: Dec 26, 2020 06:27PM UTC

Hi Team, I was looking for these information in the attack option section but didn't find it. Can you please help me it this available in community edition or only in Pro edition? Thanks

Hannah, PortSwigger Agent | Last updated: Jan 04, 2021 01:07PM UTC

Hi Ashok Are you looking for how to enable the response received and response completed column options in your Intruder attack results table? There is a menu option available when the results table is in focus. It has the options Attack, Save and Columns. If you click on the Columns menu item, you can select and deselect which columns are displayed in your attack results table. This is available both in Community and Professional.

Duy | Last updated: Jul 21, 2021 07:03AM UTC

Hi team, I am doing time-based sql injection exercise using Intruder to determine response time. In the solution they suggest to set "Maximum concurrent requests" in the "Resource Pools" tab to 1 for the most reliable response times. Can you tell me how the response time in single concurrent request is different from multiple concurrent requests?

Duy | Last updated: Jul 22, 2021 03:40AM UTC

Hi team, I am doing time-based sql injection exercise using Intruder to determine response time. In the solution they suggest to set "Maximum concurrent requests" in the "Resource Pools" tab to 1 for the most reliable response times. Can you tell me how the response time in single concurrent request is different from multiple concurrent requests?

Hannah, PortSwigger Agent | Last updated: Jul 22, 2021 10:15AM UTC

Hi. Which lab are you trying to complete?

Duy | Last updated: Jul 23, 2021 01:31PM UTC

Hello team. Sorry for the slow response. The link of the lab I'm working on is "https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval". Questions about response time difference between processing within a single concurrent request and multiple concurrent requests mostly lie in step 12 of the solution.

Duy | Last updated: Jul 23, 2021 01:31PM UTC

Hello team. Sorry for the slow response. The link of the lab I'm working on is "https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval". Questions about response time difference between processing within a single concurrent request and multiple concurrent requests mostly lie in step 12 of the solution.

Hannah, PortSwigger Agent | Last updated: Jul 26, 2021 12:40PM UTC

In this lab, you are sending multiple requests to the database, each instructing the database to sleep for a certain period of time. By sending multiple requests in quick succession with sleep statements in, you will not be able to get an accurate value for an individual request. By performing each request one at a time, you can be sure that each sleep corresponds to a single request.

You need to Log in to post a reply. Or register here, for free.