Burp Suite User Forum

Create new post

Multiple usernames as Prefixes when Base64 encoding authentication

Kenny | Last updated: Oct 02, 2015 08:17AM UTC

Hi, Is there a way to supply a list of usernames to be used as a prefix when payload processing prior to base64 encoding? I have an application which has a pop up authentication window to log in. The authentication mechanism Base64 encodes the username & password in a username:password format before forwarding it to the server, so i can only highlight the one position once it's sent to intruder. I have a list of usernames i would like to prefix before each of the passwords in the list prior to base64 encoding, but i can only figure out how to do this one username at a time. Can any one help? Cheers

PortSwigger Agent | Last updated: Oct 02, 2015 09:52AM UTC

You can't do this within Burp Intruder's native functionality. I would suggest the following approach: 1. In Intruder, ignore the encoding and use raw unencoded values. Use a cluster bomb attack with two payload positions around the username and password, and configure your two wordlists. 2. Write a short extension to obtain the full value of the parameter containing the credentials (as username:password), perform Base64-encoding on this value, and update the request with the encoded value.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.