Burp Suite User Forum

Login to post

Add a rule action "sleep" or fix the delay between seconds for the resource pool

Jonas | Last updated: Sep 21, 2022 03:35PM UTC

Consider the following scenario: For logging in, you need to have a valid CSRF token. The standard way to solve that in Burp is to use a macro that fetches the token. But in this web app, the token is unique for every request and once the CSRF token is used (success or failure), it expires. If you want to check a login form for brute forcing, the BURP intruder won't be able to do it because you can't add a sleep timer to the macro. So I thought that it might be possible via the resource pool by setting a delay between requests, but apparently it doesn't apply to requests from macros...

Jonas | Last updated: Sep 21, 2022 03:37PM UTC

Oh, I forgot to add that the CSRF token in this example has to be older than 2 seconds for it to be valid. Otherwise it doesn't make sense :^)

Hannah, PortSwigger Agent | Last updated: Sep 22, 2022 09:27AM UTC

Hi Have you had a look at any extensions on the BApp Store to handle your tokens? You could have a look at: - CSRF Token Tracker - Authentication Token Obtain and Replace - TokenJar

Jonas | Last updated: Sep 22, 2022 02:29PM UTC

None of them allow me to pause for a few seconds before using the token. As I said, it would be best if there was a rule action called "sleep".

Hannah, PortSwigger Agent | Last updated: Sep 23, 2022 10:28AM UTC

Thanks for that information. I've added your +1 to our ongoing feature request for a session handler action that allows you to input a time delay. You could have a look at the Reshaper extension. This could allow you to create a rule so that when a request comes through that is from the tool "Extender" or "Session", then you can add a delay of 2000ms.

You need to Log in to post a reply. Or register here, for free.