Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Intruder Cluster Bomb Iteration Order

Joseph | Last updated: Jul 26, 2021 09:57PM UTC

So with Cluster Bomb, we can generate various permutations of multiple wordlists across different parameters. But is there a way to choose the order of iteration? For example, let's say that I have the following for wordlists (1,2,3) and (a,b,c): GET /filter?id=§1§&pw=§b§ With a cluster bomb, this will use the first item from the second wordlist paired with every item in the first wordlist. And then continue with the second item in the second wordlist. So our requests are like so: /filter?id=1&pw=a /filter?id=2&pw=a /filter?id=3&pw=a /filter?id=1&pw=b /filter?id=2&pw=b /filter?id=3&pw=b /filter?id=1&pw=c /filter?id=2&pw=c /filter?id=3&pw=c But what if I want to iterate with pw and THEN id. So I want the order of my requests to look like so: /filter?id=1&pw=a /filter?id=1&pw=b /filter?id=1&pw=c /filter?id=2&pw=a /filter?id=2&pw=b /filter?id=2&pw=c /filter?id=3&pw=a /filter?id=3&pw=b /filter?id=3&pw=c Is there a way to do this?

Ben, PortSwigger Agent | Last updated: Jul 28, 2021 08:03AM UTC

Hi Joseph, It sounds like this would be something that you could achieve by using the Turbo Intruder extension. The multipleParameter.py script should be a good starting point to allow you to do this. If you are not already familiar with Turbo Intruder then you can find out more information on its usage below: https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack Cheers Ben Wright Technical Product Specialist PortSwigger

Mopam | Last updated: Mar 03, 2022 10:34AM UTC

I've figured a solution for this w/o the need for turbo intruder or some other script: simply invert the order of the parameters! from "?id=1&pw=a" to "?pw=a&id=1" :)))

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.