Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

ratelimiting intruder issue / inconvenience during the auth lab

Rens | Last updated: Jun 21, 2024 10:31AM UTC

Hi Team, During the lab I ran into an issue with the rate limiting of the community edition with the Lab: Username enumeration via account lock. Here you need to lock the account to figure out the username and see what accountname is valid. The account reset is after 1 minute, and therefor with a few attempts on clusterbombing an on distinctive results, i figured that the reset would already occur during the attackcycle. I couldn't find the possibility to raise a question for adding a comment to the explainations in the lab discription so I turned here. The way I tried to "fix" the issue of the throttle is to launch multiple attacks at the same time for the lab to get to the required ammount to lock an account and see change in behavior fast enough before the reset. This can also be achieved by breaking up the accountnames in blocks to cycle through a portion of the accountnames fast enough. Hope this helps, and maybe an addional sidenote can be added to the solutions paragraph for people using the community edition. KR. Rens

Rens | Last updated: Jun 21, 2024 10:33AM UTC

PS. great job on the academy and awesome to have this content available!

Ben, PortSwigger Agent | Last updated: Jun 21, 2024 10:40AM UTC

Hi Rens, Thank you for your message and we are glad to hear that you are enjoying the Web Academy! Yes, the general approach for some of the Intruder based labs when using Burp Community would be to split the attack up into various smaller subsets in order to get round the throttling that is present in Intruder in the Community version. So rather than running one large attack (which would ultimately get slower and slower with the more requests that are being sent) sending attacks that comprise of 30, 40 or 50 requests is normally an ideal approach. We have raised the possibility of adding some notes to labs where this might be an issue but it was decided that this would not be something we would be looking to do in the short term.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.