Burp Suite User Forum

Login to post

Add time counter between Intruder requests (initiate an Intruder request every x seconds/minutes)

Zac | Last updated: Jan 16, 2019 08:04AM UTC

Hello there, I would like to request a new feature be added to Intruder. I have come across web applications that use the time between requests to control against brute force attempts. As an example, if a user account has an incorrect username or password login twice within 2 minutes then an error message is displayed and the user is "temporarily suspended". After two minutes you can attempt to log in again with the account being enabled. I have wrote a simple bash script that loops a curl command inputting different values in specific POST parameters. It would be great to have the ability in Intruder to specify a delay in seconds/minutes/hours between requests.

PortSwigger Agent | Last updated: Jan 16, 2019 10:18AM UTC

You can do this now. Look in Intruder > Options > Request Engine > Throttle

ehlullah | Last updated: Jun 04, 2021 06:53AM UTC

hey, there is no Request Engine here.

Michelle, PortSwigger Agent | Last updated: Jun 04, 2021 08:45AM UTC

The Intruder Tool has been updated, you can now go to the Resource Pool tab to edit the number of concurrent requests and set a delay between requests: https://portswigger.net/burp/documentation/desktop/tools/intruder/intruder-resource-pool

Alysson | Last updated: Jun 19, 2021 05:59PM UTC

The resource pool settings are not clear. I need Intruder to perform 3 password brute-forcing attempts, wait for 61 seconds, and then move to the next 3 passwords. This is supposed to keep going until the passwords list is exhausted. How could I do that?

Michelle, PortSwigger Agent | Last updated: Jun 21, 2021 10:18AM UTC

Thanks for your message. When using Intruder, you can specify a time delay between each request as part of the resource pool settings, but it is not currently possible to configure it to send a specific number of requests between each time gap, I'm afraid. If this would be useful for you, can you tell us more about your use case and how often you need to configure this, please?

Mehdi | Last updated: Jan 19, 2022 05:54PM UTC

What Alysson has mentioned is the real use case of throttling. I always need that to test rate limiting mechanisms and wonder why such an important feature does not exist.

Michelle, PortSwigger Agent | Last updated: Jan 20, 2022 09:38AM UTC

Thanks for getting in touch. You might be surprised, but so far this isn't something for which we've had many requests. How often do you find yourself needing this functionality? Would you just need functionality to send X requests, pause for Y seconds and then send X requests again, or are there other scenarios for other attacks that you need? It would be good to gather this information so we can discuss this further with our developers. Currently, you may be able to achieve this by writing your own extension within Burp.You could potentially create an extension that registers a payload generator that every 3 payloads sleeps for 61 seconds before giving the 4th payload. You could then use that with a resource pool with only one concurrent request. If you wanted to investigate this further you can find resources on writing your own extensions here: https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension https://portswigger.net/burp/extender https://portswigger.net/burp/extender/api/

Shandor | Last updated: May 02, 2022 02:52PM UTC

This can be useful in one of the Burp Academy lab actually : https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-account-lock Try 5 times, wait 60 minutes until the account is unlocked, and try another 5. No

Shandor | Last updated: May 02, 2022 02:53PM UTC

Edit: This can be useful in one of the Burp Academy lab actually : https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-account-lock Try 5 times, wait 60 minutes until the account is unlocked, and try another 5. I was going to write : Not sure how real world is this configuration

Shandor | Last updated: May 02, 2022 02:54PM UTC

**Seconds...

Shandor | Last updated: May 02, 2022 02:58PM UTC

Ah never mind - I see that you can just brute force the lab even with the account lockout.

TVTBounty | Last updated: Aug 04, 2022 01:44AM UTC

Hello has this been implemented or a write up done on how to add this extension? this would be really useful on DVR's. The new apps being deployed have this kind of loop and burp should be able to do this. example: you have 4 attempts to login, after which you need to wait 5 minutes before trying again. (provided you are using the same source IP). i saw in a youtube post that IP can be changed using a counter+variable. but how to do this only after the 4 attempts? looking for samples? shodan.io, TVT DVR. pick any and you'll see the loops

oshri | Last updated: Sep 13, 2022 06:39AM UTC

i also would love to have this feature it is sooo useful for pen testing!

Michelle, PortSwigger Agent | Last updated: Sep 13, 2022 12:55PM UTC

Thanks for the feedback. Have you taken a look at the Turbo Intruder extension to see if this would help in your scenario? https://portswigger.net/bappstore/9abaa233088242e8be252cd4ff534988

You need to Log in to post a reply. Or register here, for free.