Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Basic Intruder Question using Base64 Encode

Jeffrey | Last updated: Nov 26, 2016 08:06AM UTC

Im trying to use Burp to access my base64 protected site to see if it is possible, however I am having a problem learning about where positions should be tagged at in a base64 string. User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: __smToken=2o8AdPCnNsyDRWAej1BknI4D; awpopup_1532000114=1; __smWelcomeMatShown=true; __smWelcomeMatOptOut=true Connection: keep-alive Upgrade-Insecure-Requests: 1 Authorization: Basic §aGVsbG86§§aGVsbG8=§ I have two positions for the clusterbomb attack and I have added the ":" at the end of my list 1. I am not sure if these positions are correct?

Liam, PortSwigger Agent | Last updated: Nov 28, 2016 09:08AM UTC

Hi Jeffrey Thanks for your message. Intruder isn't the best tool for brute forcing basic authentication because you need to Base64-encode the whole user : password string. You could try using a dedicated brute forcing tool such as THC Hydra: - http://sectools.org/tool/hydra/ Please let us know if you need any further assistance.

Burp User | Last updated: Mar 25, 2018 07:37PM UTC

Base64 encoding along with various other payload manipulations seem to be possible using the Intruder Payload Processing/Encoding functionality: https://portswigger.net/burp/help/intruder_payloads_processing

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.