Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Add a processing rule

Adam | Last updated: Nov 10, 2023 02:37PM UTC

Hi, I am attempting a brute force attack on a password using the Sniper attack method. I am highlighting the password value in the intruder and adding it as "Add§," but it appears that the password value is hashed using SHA-256: b3e8cfedfe28f63565f18e04826f314a925a58aafdfae17e87eece4f62140217 POST /ISAPI/Security/sessionLogin?timeStamp=1699624550874 HTTP/1.1 Host: 192.168.1.145 Content-Length: 183 Cache-Control: max-age=0 Accept: */* X-Requested-With: XMLHttpRequest If-Modified-Since: 0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http:// 192.168.1.145 Referer: http:// 192.168.1.145 /doc/page/login.asp?_1699624428676 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: language=en Connection: close <SessionLogin><userName>admin</userName><password>§b3e8cfedfe28f63565f18e04826f314a925a58aafdfae17e87eece4f62140217§</password><sessionID>2656cd50c566c9291b49</sessionID></SessionLogin> I have a couple of questions: 1.Regarding the payloads, I have loaded "rockyou.txt" into the payload settings (Simple List). When I run the attack, it goes through all the passwords in "rockyou.txt" and eventually not find the correct password, its bypass my correct password. Why is this happening? Do I need to add a processing rule for hashing and SHA-256? 2.Should I add all failure messages to the Grep-Match? For example: "Incorrect username or password. The device will be locked after 5 failed login attempts."

Hannah, PortSwigger Agent | Last updated: Nov 13, 2023 10:45AM UTC