Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Add a rule action "sleep" or fix the delay between seconds for the resource pool

Jonas | Last updated: Sep 21, 2022 03:35PM UTC

Consider the following scenario: For logging in, you need to have a valid CSRF token. The standard way to solve that in Burp is to use a macro that fetches the token. But in this web app, the token is unique for every request and once the CSRF token is used (success or failure), it expires. If you want to check a login form for brute forcing, the BURP intruder won't be able to do it because you can't add a sleep timer to the macro. So I thought that it might be possible via the resource pool by setting a delay between requests, but apparently it doesn't apply to requests from macros...

Jonas | Last updated: Sep 21, 2022 03:37PM UTC

Oh, I forgot to add that the CSRF token in this example has to be older than 2 seconds for it to be valid. Otherwise it doesn't make sense :^)

Hannah, PortSwigger Agent | Last updated: Sep 22, 2022 09:27AM UTC

Hi Have you had a look at any extensions on the BApp Store to handle your tokens? You could have a look at: - CSRF Token Tracker - Authentication Token Obtain and Replace - TokenJar

Jonas | Last updated: Sep 22, 2022 02:29PM UTC

None of them allow me to pause for a few seconds before using the token. As I said, it would be best if there was a rule action called "sleep".

Hannah, PortSwigger Agent | Last updated: Sep 23, 2022 10:28AM UTC