Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Conditional Macro

Martinik | Last updated: Aug 17, 2023 10:17AM UTC

In the context of race conditions attack and Sending requests in parallel. I have a POST request to apply a discount coupon code and a GET request to view the cart. As an alternative for "Sending requests in parallel" we can create a macro with the POST request and send the GET request to Intruder (Attack type: Sniper; Payload type: Null payloads, Payload settings: continue indefinitely; Resource pool: 30 concurrent requests, auto throttle). In Intruder, start the attack and then, in browser, refresh the web page to view the "big" discount. If the discount is "big" enough we can place the order. Otherwise, we will Remove the coupon (from browser) and wait for the Intruder attack to set a new discount. Is it possible to create a special macro (or something similar) to do automatically the above manual task: remove the coupon if the discount or total has a specified value? Like a conditional macro: if the total>50 then execute the "Remove" coupon action. Thank you.

Michelle, PortSwigger Agent | Last updated: Aug 17, 2023 02:28PM UTC

Hi Thanks for getting in touch. There isn't currently an option to create conditional macros. Depending on the task you are trying to perform, you may find that extensions such as Turbo Intruder from the BApp Store (https://portswigger.net/bappstore/9abaa233088242e8be252cd4ff534988) give you additional flexibility or you may even want to create your own extension (https://portswigger.net/burp/documentation/desktop/extensions/creating).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.