Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Intruder - Attack Types - How can I use dynamic numbers for only a param While attac okther params

my | Last updated: Nov 26, 2019 11:10AM UTC

I have a request that need to different attack type for example; register_user.php?name=[payload1]&address=[payload2]&mail=[payload3] And a Payload list with 100 line. Iwant to test results following: Payload1 = 1 payload2 = Injection_Test_1 Payload3 = default/blank Payload1 = 2 payload2 = Injection_Test_2 Payload3 = default/blank ... Payload1 = 100 payload2 = default/blank Payload3 = Injection_test_1 .. Payload1 = 200 payload2 = default/blank Payload3 = Injection_test_100 Totally 200 requests. Param1 value is unique for every request and I don't want to attack that. In this case, I need to attack to parameters using sniper attack-type, IMO, because I don't want to multiple requests that pitchfork does or Cluster-Bomb does. They have different behaviors that I need. Sniper attack-type is more fit for my case, But in sniper attack-type, It allowed just to set a 1 payload set. Because it is attacking to all payload positions with the same payload set in order. Sniper attack type allows following result; Payload1 = Injection_test_1 payload2 = default/blank Payload3 = default/blank ... Payload1 = Injection_test_100 payload2 = default/blank Payload3 = default/blank ... Payload1 = default/blank payload2 = default/blank Payload3 = Injection_test_100 Totally 300 requests. Also, Payload1 is attacked and It doesn't have a unique value While other injections are going. I think I can use macro for set Payload1 but it's just a workaround. Also, there is no need to use a macro rule for getting Payload1's value.(iteration of number is ok) I am curious about is there an alternative way for doing the this job

Burp User | Last updated: Nov 26, 2019 11:27AM UTC

For a workaround, I use this extension https://portswigger.net/bappstore/36d6d7e35dac489b976c2f120ce34ae2

Liam, PortSwigger Agent | Last updated: Nov 26, 2019 01:12PM UTC