Burp Suite User Forum

Login to post

Burp Live Scan Payload Modification

Wesley | Last updated: Nov 16, 2020 08:22PM UTC

I am running a live scan against a system and it comes back with OS Command Injection, and the payload used a sleep time of 20 seconds. I would like to increase the 20 seconds to around 1.5 minutes. I believe it comes back with OS Command Injection because of a network issue and I don't believe the OS Command Injection is a false positive. If there is any way to modify this sleep time, your help is greatly appreciated! Thanks in advance. Wesley

Ben, PortSwigger Agent | Last updated: Nov 17, 2020 11:00AM UTC

Hi Wesley, This sounds like something that you could check manually in order to fine tune both the parameters being used and confirm whether or not Burp has discovered a genuine issue. There are some details on how to manually test for OS command injections on the following page: https://portswigger.net/support/using-burp-to-test-for-os-command-injection-vulnerabilities

Wesley | Last updated: Nov 17, 2020 02:20PM UTC

Hi Ben, This is not a manual test, this is a live scan. But I'm guessing from your response, there is no way to modify the payloads for a live scan.

Wesley | Last updated: Nov 17, 2020 02:21PM UTC

Hi Ben, This is not a manual test, this is a live scan. But I'm guessing from your response, there is no way to modify the payloads for a live scan.

Ben, PortSwigger Agent | Last updated: Nov 18, 2020 10:55AM UTC

Hi Wesley, No, you cannot control the scanner payloads for OS Command Injection to that granular level. My comment was regarding steps to take after the scan had finished in order to determine whether Burp has discovered a genuine issue or whether, as you mentioned, it could be down to an issue with the network.

You need to Log in to post a reply. Or register here, for free.