Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Payload settings [Brute forcer] - randomly generated strings

Martinik | Last updated: May 21, 2024 12:52PM UTC

Hi, Could you please add a new option for "Payload settings [Brute forcer]" to be able to use strings that were randomly generated. Thank you.

Hannah, PortSwigger Agent | Last updated: May 22, 2024 11:26AM UTC

Hi Currently, the brute forcer functionality will try all permutations of the provided character set within the length that you provide. Could you explain a bit more about what you would be looking for with a randomly generated string?

Martinik | Last updated: May 23, 2024 04:40PM UTC

Hi, In this moment the brute forcer functionality is generating strings in a consecutive order. It would be nice to have an option to make it generate random strings. Example: We have this set of chars "abc0123" and want a string with "min length = max length = 6" In this moment the brute forcer is generating this kind of strings: aaaaaa baaaaa caaaaa 0aaaaa ...... The new desired feature would allow it to generate random strings (with both repeating chars or not), like: a1b0c3 12c3b1 c3bb1a ...... Thank you.

Hannah, PortSwigger Agent | Last updated: May 24, 2024 09:54AM UTC

Hi The brute forcer generates a payload that is a permutation of your character set that allows repeats. This means that every possible combination of letters will be tried, with any letter in the character set placed at any (and every) position in the sequence. Once your attack has finished running, if you use the filter bar to search for any string sequence defined by your characters, it will be present in the attack. Please let me know if you have any questions!

Martinik | Last updated: May 24, 2024 01:07PM UTC

Hi, Long story short: Yes, you have right "The brute forcer generates a payload that is a permutation of your character set that allows repeats.", but in a consecutive order as I mentioned above. The desired and useful new features: - add an option (check box or something) to generate those permutations randomly, not in consecutive order - add an option (check box or something) to choose if a char can be seen multiple times in the same string - add an option (text box or something) to choose the number of the generated strings I hope my specific details will be helpful. Thank you.

Ben, PortSwigger Agent | Last updated: May 28, 2024 09:18AM UTC

Hi Martinik, Are you able to clarify the use case behind wanting to generate the permutations in a random order given that all permutations of the given character set will, ultimately, be tried during the attack?

Martinik | Last updated: May 28, 2024 02:30PM UTC

Hi, On example is statistical sampling. There are more but this one is the best to underline the importance of those features.

Ben, PortSwigger Agent | Last updated: May 29, 2024 12:40PM UTC

Hi Martinik, One final question about your feature request - what do you mean by your third point - 'add an option to choose the number of the generated strings'? Are you able to clarify?

Martinik | Last updated: May 29, 2024 02:53PM UTC

Hi Ben, I read it again and rephrase is required. 'add an option (text box or something) to choose the number of the generated strings': the "choose" word can be replaced with "write" Let's say the maximum number of possible generated strings (based on permutations and the first 2 new features) are 1234. The 3rd new feature will be a text box where we can write how many strings (statistical sampling) we want to generate from the maximum available pool (in this case 1234). Suppose I want only 100 strings from the entire 1234 pool. Cheers.

Michelle, PortSwigger Agent | Last updated: May 30, 2024 03:04PM UTC

Hi Thanks for the update. Might there be scenarios where the number of possible generated strings could be greater than the possible number of permutations in your scenario (so one or more of the permutations could be used multiple times)? Or would it always be lower?

Martinik | Last updated: May 30, 2024 06:24PM UTC

Hi Michelle, You have a great idea and it can be the 4th new feature: - add an option (check box or something) to choose if one or more of the permutations could be used multiple times Nice! At this moment we could have the following new features: - add an option (check box or something) to generate those permutations randomly, not in consecutive order - add an option (check box or something) to choose if a char can be seen multiple times in the same string - add an option (text box or something) to write the number of the generated strings - add an option (check box or something) to choose if one or more of the permutations could be used multiple times Thank you.

Michelle, PortSwigger Agent | Last updated: May 31, 2024 12:35PM UTC

How often do you find you need to perform the types of attack that use statistical sampling techniques vs testing all possible permutations?

Martinik | Last updated: Jun 01, 2024 09:12AM UTC

As I said earlier the "statistical sampling" is just an example to fit these features in a real life scenario. Maybe each of us have another scenario that requires these features. I personally wish I had these features to optimize my work time and to avoid using other tools or scripts to generate those strings and import them in Burp.

Michelle, PortSwigger Agent | Last updated: Jun 03, 2024 01:00PM UTC

How often are you performing this type of attack? (Knowing this kind of information helps us to prioritize requests). Do you have examples of other scenarios where this type of attack might be used? For a brute force attack, usually the expectation is that all possible permutations are tried to see if any are successful, so I'm just trying to get a better understanding of the different types of scenario that may be missing in case these need to be covered by different attack types instead of being added into the brute force attack.

Martinik | Last updated: Jun 03, 2024 04:24PM UTC

To answer your first question, I perform this type of attack on a weekly basis. These are other examples where the new features could be helpful. Example 2: Directory listing The web server was misconfigured and it lists the content of paths. There is a solution in place that creates temporary backups and then stores them in a folder that has a random generated name. The backup file can be accessed if we know (guess) the path. Example 3: File upload The web application allows changing the profile picture. The new uploaded picture is stored on server in a new folder that has a random generated name. The picture can be accessed if we know (guess) the path.

Hannah, PortSwigger Agent | Last updated: Jun 04, 2024 03:32PM UTC

Thanks for all the additional information. This sounds like it would come under a new payload type rather than adding to the existing brute force option. It is possible to use an extension to generate the payloads you would like - if you're interested, I'm in the process of putting together a basic extension that you should be able to add some custom logic to to provide the functionality you are looking for.

Martinik | Last updated: Jun 04, 2024 04:38PM UTC

Thank you. I'm looking forward to play with it. ????

Martinik | Last updated: Jun 04, 2024 04:40PM UTC

Please ignore and delete the question marks (it was supposed to be an emoticon).

Hannah, PortSwigger Agent | Last updated: Jun 05, 2024 09:08AM UTC

Unfortunately, emoji tend to get stripped out from the forum - there's still old-school smileys :) You can find the extension frame here: https://github.com/Hannah-PortSwigger/RandomPayloadGenerator The implemented UI isn't pretty, but is functional. The payload generation logic part (that I've not implemented) can be filled out where the "//TODO" is in the "ExtensionPayloadGenerator" class. Hope you find that useful! Please let us know how you get on.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.