Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Cluster bomb 3 positions 2 sets of payloads.

ben | Last updated: Nov 30, 2023 03:15PM UTC

I have a question about using intruder in a specific scenario. lets say I have a 2 sets of payloads and I want to loop through all possible combination using these payloads (so cluster bomb seems like the best option) but! I want my request to have 3 payload positions: position1 and position3 will be the exact same payload and will take it from payload list number 1. position2 will be from payload list number 2. so for example: payload list 1 = [a, img] payload list 2 = [event1, event2] the result will be: 1. pos1 = pos3 = a. pos2 = event1 2. pos1 = pos3 = a. pos2 = event2 3. pos1 = pos3 = img pos2 = event1 4. pos1 = pos3 = img pos2 = event2 I couldn't find any settings that make this possible. I thought it would be as simple as naming the position1 and 3 the same. for example choosing cluster bomb and inserting the postions like os: GET /somepath?search=<§pay1§%20§pay2§%3D%22print%281%29%22%3E%3C%2F§pay1§%3E rest of the request... And now because position1 and position3 have the same name (pay1) it will be read from the same payload... as you can see this scenario can be very helpful when you have many javascript tags you want to check with some data between these tags or as event of the tags if this is not possible to do using intruder, I highly suggest you will add this option sometime in the future :) Thanks, Ben

Hannah, PortSwigger Agent | Last updated: Dec 01, 2023 09:58AM UTC