Burp Suite User Forum

Login to post

Burp Intruder inaccurate received and completed response time

Paulo | Last updated: Jul 25, 2019 09:28AM UTC

In Intruder, in order to execute blind sql injection, I selected the Received time from the columns menu in intruder attack window. While executing the attack, I noticed that the response times are not correct after the "TRUE" condition is met. For example, if the password length is 6, testing for something like LENGTH(password)=? with a list of numbers from 1 to 10 and a sleep time of 5 seconds, the received time is seems correct up to 6, showing more or less 100ms for each request. But after the TRUE condition, which is 6, the received time of the 7,8,9 and 10 payloads is approximately 10 seconds, which is wrong. Only the 6 payload should have a received time of 10s. Overall execution takes less than 11 seconds.

Liam, PortSwigger Agent | Last updated: Jul 26, 2019 09:39AM UTC

Thanks for this report. Could you send us a screenshot displaying this issue to support@portswigger.net.

Thomas | Last updated: Feb 29, 2020 09:52AM UTC

I think setting the "Number of threads" to 1 in "Intruder >> Options >> Request Engine" section may solve your issue.

You need to Log in to post a reply. Or register here, for free.