Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Repeater response time inconsistent

FeasibleSecEnthusiast | Last updated: Sep 01, 2024 04:37PM UTC

Hi, I recently did some testing on different targets, where I tried testing for command injection. I observed that the sleep commands seemed to have worked in some cases, while manually testing via repeater. For instance, I manually observed that SLEEP(10) caused a delay of over 10 seconds in one instance. However, the tool displays the time taken for the response to be around 1 or 2 seconds when the delay was indeed over 10 seconds. Subsequent replays of the command didn't cause the delay, so, on a side note, there may have been some other reasons for the delay, and maybe not a command injection issue. Irrespective of the anomaly, I was still hoping to report the one time that the SLEEP command seemed to have worked, and not immediately assume that there is no vulnerability. I am not sure if I am missing any setting. Or is this some known bug in the tool around response time displayed, especially when there is some network anomaly? Either way, request some guidance around this. Thanks!

FeasibleSecEnthusiast | Last updated: Sep 02, 2024 01:20AM UTC

To add to my queries/re-formulate it - if the display doesn't always show the actual amount of time a response took, is there some other log I can refer to, which can hopefully reflect the exact time taken for the response to be returned?

Michelle, PortSwigger Agent | Last updated: Sep 02, 2024 08:30AM UTC