Burp Suite User Forum

Login to post

Burp 2023.1.2 ignoring intruder payload positions set (or choosing its own?)

Gigostack | Last updated: Feb 26, 2023 10:07PM UTC

Here is the intruder position i have set for port academy lab: GET /filter?category=Gifts HTTP/1.1 Host: 0a7b002803336d41c08ad10900000088.web-security-academy.net Cookie: TrackingId=lpkFNBe4TfZzEc9p'+AND+(SELECT+SUBSTRING(password,§1§,1)+FROM+users+WHERE+username='administrator')='§a§; session=lD40eMVj3DI3XJAvre0DQ1nVZFFheyic when §a§ is highlighted and set first, then §1§ is set second, burp intruder in the clusterbomb mode will do the opposite (as tho it is identifying positions based on order?) I do not remember previous versions of burp working in this manner, i remember that the position i highlight and add first is the position that is "worked" first in the payloads. Can someone tell me if this is expected behavior?

Hannah, PortSwigger Agent | Last updated: Feb 27, 2023 09:54AM UTC

Hi. Do you know which previous version you saw this different behavior on? For easier readability, having the payload numbers in the order that they appear in the request makes it easier to understand the Intruder attack, especially if you're saving the attack and coming back to it later.

You need to Log in to post a reply. Or register here, for free.