Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Bruce force ID param

olek | Last updated: Sep 26, 2022 07:12PM UTC

Hi Team I would like ask about Bruce force ID param from user 7A20bc80aBdfa6988dQf19AAxXE. I try used into intruder Bruce force but there is low and big letter and digit. Scanner just doing this way.How to mix this ID for example "a7BxY0LqP1zXX1" Bruce force do not have Big Letter .? 77777777cccAWWWWWW

Ben, PortSwigger Agent | Last updated: Sep 27, 2022 04:21PM UTC

Hi Olek, Just to clarify, are you referring to using the 'Brute forcer' payload set in Intruder? If so, if you want to use both upper and lower case characters then you would need to adjust the default 'Character set' to include the uppercase characters (the default character set uses permutations based on lowercase characters and numbers).

olek | Last updated: Sep 27, 2022 05:29PM UTC

Sorry I do not understand .my question ID param from user is 7A20bc80aBdfa6988dQf19AAxX How to find ID different users in system using Burp.? You need scan looking for different ID number .HOW .?????

Ben, PortSwigger Agent | Last updated: Sep 28, 2022 04:25PM UTC

Hi Olek, A scan would not fuzz for different user IDs - you would need to use something like Intruder to do this.

olek | Last updated: Sep 28, 2022 06:08PM UTC

Ben correct I do that but in intruder you has 18 options 1 is Bruce force .I can do this for that id=11110000 no problem You can used Bruce force or Number tab. But how to Attack,guess this number "7A20bc80aBdfa6988dQf19AAxX" for example Bruce force has small letter and number and scan will be looks like this "77777777777aaaaaaaaaaaaa" This take my about 2 days scan .How to mix all this ???? Big letter small letter and number .???

Ben, PortSwigger Agent | Last updated: Sep 29, 2022 09:38AM UTC

Hi Olek, I mentioned this in my first message - you would need to alter the 'Character set' field in the Intruder -> Payloads tab of Burp (this field will show up after you have selected the 'Brute forcer' payload from the 'Payload type' drop down menu). You would need to alter the default character set so that it contains upper case characters i.e. alter it from the default of 'abcdefghijklmnopqrstuvwxyz0123456789' to 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'. This will mean that Burp will brute force both lowercase and uppercase characters as well as numbers. This will attempt to brute force every possible permutation of the specified character set for the given length that you provide - obviously, if you are trying to brute force a large string then this will take quite some time to work through all of the permutations.

olek | Last updated: Sep 29, 2022 06:28PM UTC

ok thanks you but Upper letter you have put manually .This is not as Default on burp. Additionally in Burp I see Character substitution will not work in this case.How to use it.???

Ben, PortSwigger Agent | Last updated: Sep 30, 2022 10:48AM UTC