Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Intruder Cluster Bomb Iteration Order

Joseph | Last updated: Jul 26, 2021 09:57PM UTC

So with Cluster Bomb, we can generate various permutations of multiple wordlists across different parameters. But is there a way to choose the order of iteration? For example, let's say that I have the following for wordlists (1,2,3) and (a,b,c): GET /filter?id=§1§&pw=§b§ With a cluster bomb, this will use the first item from the second wordlist paired with every item in the first wordlist. And then continue with the second item in the second wordlist. So our requests are like so: /filter?id=1&pw=a /filter?id=2&pw=a /filter?id=3&pw=a /filter?id=1&pw=b /filter?id=2&pw=b /filter?id=3&pw=b /filter?id=1&pw=c /filter?id=2&pw=c /filter?id=3&pw=c But what if I want to iterate with pw and THEN id. So I want the order of my requests to look like so: /filter?id=1&pw=a /filter?id=1&pw=b /filter?id=1&pw=c /filter?id=2&pw=a /filter?id=2&pw=b /filter?id=2&pw=c /filter?id=3&pw=a /filter?id=3&pw=b /filter?id=3&pw=c Is there a way to do this?

Ben, PortSwigger Agent | Last updated: Jul 28, 2021 08:03AM UTC

Hi Joseph, It sounds like this would be something that you could achieve by using the Turbo Intruder extension. The multipleParameter.py script should be a good starting point to allow you to do this. If you are not already familiar with Turbo Intruder then you can find out more information on its usage below: https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack Cheers Ben Wright Technical Product Specialist PortSwigger

Mopam | Last updated: Mar 03, 2022 10:34AM UTC