Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

[intruder] brute forcer tickets get used up?

Linus | Last updated: Nov 18, 2017 03:33PM UTC

The website I am testing here does not have any captcha, however it does only allow one login per ticket. It is not a thing because the ticket gets regenerated when browser gets refreshed. How do I get burp suite to generate new ticket every time it does a new payload? A snapshot of user_session%5Busername%5D=fakeusername&user_session%5Bpassword%5D=§password§&lt=LT-1511018798r8EB3B66739CF2C09B5&service=&commit=Log+In As you can see, the lt=LT-xxxxxx specifies the ticket. The website does not allow the usage of same tickets. Is there a way to get around this? (In browser when the page gets refreshed, new ticket will be generated but not in burp suite).

PortSwigger Agent | Last updated: Nov 20, 2017 10:09AM UTC

Hi Linus, Thanks for your inquiry. Burp's Session Handling Rules can help you deal with scenarios like this. There's a tutorial about using Session Rules to do a login here: - https://support.portswigger.net/customer/portal/articles/2363088-configuring-burp-s-session-handling-rules In your case, you need to identify the request that fetches a new token, and create a macro to issue that. You also need a Session Handling Rule that runs the macro. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.