Burp Suite User Forum

Login to post

Intruder - brute-force with recursive grep and more, than 2 params

Marcel | Last updated: May 10, 2022 12:27PM UTC

Hello, I got a question (BurpSuitePro) I would like to brute-force login on site, where are 3 dynamic params. • session_code, each attempt must be used value from previous response, unpredictable, generated by server application • email, list of 50 • password, list of 2000 Via recursive grep function I pick value of session_code from previous response. Email is set, password is set. When I use Cluster Bomb type of attack, it will keep trying only first positions of email and password, because session_code is each attempt different and Burp thinks, that this payload (recursive grep of session_code) is not exhausted yet, so it keeps trying very same combination of email and password. Is there way, how to try all permutations of email and password, while one (or more) params (in this case session_code) is grepped from previous response and is each attempt different? Thank you if advance, Marcel

Ben, PortSwigger Agent | Last updated: May 11, 2022 01:31PM UTC

Hi Marcel, Are you able to send us an email to support@portswigger.net and include some screenshots of how you are trying to set this attack up within Burp? In addition to the above, can you clarify whether the requirement to obtain the session_code from a previous Intruder response is absolute?

You need to Log in to post a reply. Or register here, for free.