Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Add a processing rule

Adam | Last updated: Nov 10, 2023 02:37PM UTC

Hi, I am attempting a brute force attack on a password using the Sniper attack method. I am highlighting the password value in the intruder and adding it as "Add§," but it appears that the password value is hashed using SHA-256: b3e8cfedfe28f63565f18e04826f314a925a58aafdfae17e87eece4f62140217 POST /ISAPI/Security/sessionLogin?timeStamp=1699624550874 HTTP/1.1 Host: 192.168.1.145 Content-Length: 183 Cache-Control: max-age=0 Accept: */* X-Requested-With: XMLHttpRequest If-Modified-Since: 0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http:// 192.168.1.145 Referer: http:// 192.168.1.145 /doc/page/login.asp?_1699624428676 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: language=en Connection: close <SessionLogin><userName>admin</userName><password>§b3e8cfedfe28f63565f18e04826f314a925a58aafdfae17e87eece4f62140217§</password><sessionID>2656cd50c566c9291b49</sessionID></SessionLogin> I have a couple of questions: 1.Regarding the payloads, I have loaded "rockyou.txt" into the payload settings (Simple List). When I run the attack, it goes through all the passwords in "rockyou.txt" and eventually not find the correct password, its bypass my correct password. Why is this happening? Do I need to add a processing rule for hashing and SHA-256? 2.Should I add all failure messages to the Grep-Match? For example: "Incorrect username or password. The device will be locked after 5 failed login attempts."

Hannah, PortSwigger Agent | Last updated: Nov 13, 2023 10:45AM UTC

Hi If the password needs to be provided in an encoded form, then yes, we would recommend using the processing rules to provide the password in the correct format in the request. If the built-in processing rules are not sufficient, then you may wish to use an extension like "Hackvertor" to encode your payloads. Using "Grep match" will flag specific responses in your results. If the failure messages are interesting to you, then this would be a good thing to flag.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.