Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Intruder cluster bomb payload set reused

Mathieu | Last updated: Jun 16, 2023 02:40AM UTC

Hello, I need to brute-force a parameter that is sent twice to the server and follows the pattern below: ``` param1=P1-P2-P3 param2=P1-P2-P3 ``` Where P1, P2 and P3 are three payload sets. Is it possible to reuse the same payload set for two placeholders using Burp Intruder or do I need to use another extension such as Turbo Intruder ? Regards,

Hannah, PortSwigger Agent | Last updated: Jun 16, 2023 04:10PM UTC

Hi Have you tried using an Intruder attack type of "Battering ram"? This uses a single set of payloads, and places the same payload into all of the defined payload positions at once.

Mathieu | Last updated: Jun 17, 2023 12:08AM UTC

Hi, Thank you for your reply, yes I've thought about it but "Battering ram" cannot fit in my case. I need to brute-force all possibilities like "Cluster bomb" proposes to do it (number of requests max = P1 x P2 x P3). If the parameter was not sent twice, cluster bomb would be perfectly fine. Nevertheless, the goal here is to duplicate the result obtained by the cluster bomb operation to set two parameters with the same value. For example, if the cluster bomb would give P1=X, P2=Y, P3=Z for one iteration, I would like to send: param1 = X-Y-Z param2 = X-Y-Z Thank you for your help

Mathieu | Last updated: Jun 19, 2023 09:01AM UTC

Hi, I could achieve something quite similar with the "Batering ram" mode as you suggested and tweaking a bit my request. I used the payload sets "Custom iterator" and the payload settings with a custom preset scheme. Thank you

Hannah, PortSwigger Agent | Last updated: Jun 20, 2023 09:10AM UTC

I'm glad to hear you got this working! If there's anything else we can help with, then please let us know.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.