Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How does one get timing results in Burp Intruder?

Rui | Last updated: Nov 04, 2023 07:00PM UTC

I am aware of the "Response received" and "Response completed" columns in the Intruder Attack menu, but these numbers do not correlate with the timing results produced in Repeater. I have a test scenario which produces different response times depending on a request parameter, and can easily reproduce this manually in Repeater. But Intruder timing do not match, even for the same parameter values. I am using a resource pool with only 1 concurrent request. Thanks Rui

Hannah, PortSwigger Agent | Last updated: Nov 06, 2023 04:58PM UTC

Hi Rui Are you seeing wildly different response times in Repeater compared to Intruder? Is it possible for you to drop us an email at support@portswigger.net with some screenshots of the behavior you are experiencing? We do have some additional functionality in place in Intruder to speed up network requests, so it may be that this is slightly affecting your results. To that end, could you also include a screenshot of your settings under "Intruder > Settings > HTTP/1 connection reuse"?

Rui | Last updated: Nov 08, 2023 09:24PM UTC

Yes, repeater consistently shows around 120ms response when an account exists (whether the password provided is correct or not), and 1,350ms when account does not exist. This is consistent with the issue described at https://raxis.com/blog/rd-web-access-vulnerability/. Intruder does the same if I am testing for valid accounts. I would like to use the same technique to test for valid passwords, but that appears to be a different issue.

Michelle, PortSwigger Agent | Last updated: Nov 09, 2023 11:09AM UTC