Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

GET Method

jorge | Last updated: Jun 25, 2021 06:20PM UTC

I'm trying Burp Suite on DVWA to do brute force for practice purposes. When i capture a request, i only get POST method. How can i get a GET request?

Ben, PortSwigger Agent | Last updated: Jun 28, 2021 10:17AM UTC

Hi, The POST and GET requests are going to be determined by the web site themselves, rather than Burp, and I would expect that if you were trying to brute force a, for example, login page that the POST request would be the request that you would need to interact with. Can you clarify what process you are trying to carry out using the DVWA test site?

jorge | Last updated: Jun 28, 2021 06:34PM UTC

Hi Ben, In DVWA there is a login. When you use random credentials you get a message like this: "Login or password incorrect" What i'm trying to do with this, is to get a request that uses the GET method. So, adding the payload where the pass and user is i can do a brute force with two lists, using the attack cluster bomb so i can get the credentials i need. The message above is to make burp suite say to me what credentials are the good ones but this is not the problem. The problem is that with a POST i can't do this process i need a GET and i saw videos that they get this request automatically with DVWA. Is there any configuration to change this? I don't know about it. If i'm wrong and i can do this with POST, please let me know but i don't think so. Thak you for your time

jorge | Last updated: Jun 28, 2021 07:14PM UTC

I forgot to mention before. I have tried with several practice sites to see if the problem came from DVWA (a bad config,...), but it still happen in those sites.

Ben, PortSwigger Agent | Last updated: Jun 29, 2021 08:05AM UTC

Hi, Are you looking at the specific Brute Force section of the DVWA? Just having a quick look at this site and I think the page you are looking at might have the URL http://<host>/vulnerabilities/brute/, is this correct? If so, the version I am looking at does use a GET request to submit the login credentials (looks like it is using GET parameters to do this) - do you not see this particular request in your HTTP history within Burp (or any requests that are submitting the username and password parameters)? If not, are you able to email us at support@portswigger.net and provide a screenshot of the requests that you are seeing when you submit the login form - we can then show you some screenshots of what we are seeing, which might assist you with getting this working.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.