Burp Suite User Forum

Login to post

Run multiple JSON Requests as Macro

Sufijen | Last updated: Oct 15, 2020 11:21AM UTC

Hi, I hope you can help me find an easy way to do what I plan to do. I personally tried Macros, Turbo Intruder and I started to create an extensions which leaves some open questions. But let me first describe my problem: In general, I want to run a "playbook" (multiple requests) in the intruder. This should run multi-threaded. I plan to run it in 10 threads with 1000 repetitions as fast as possible. What happens: 1. Send a json request to start a transaction 2. Take the transaction id from json response 3. Send a new json request to another endpoint to confirm the transaction First request: ``` POST /api/transaction/start HTTP/1.1 {"recipient":"Foo Bar","iban":"XXXXXXXX","bic":"YYYYYY","subject":"ZZZZZZZZ","amount":"0.03","accountnumber":"PPPPPPPPPPPP"} ``` First response: ``` HTTP/1.1 200 OK Server: nginx Date: Thu, 15 Oct 2020 07:55:34 GMT Content-Type: application/json Connection: close Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Content-Length: 101 {"account_transaction_uuid":"ab18d86f-1d92-4b5c-84a1-d4f0125294d0"} ``` The transaction id for the second payload: `ab18d86f-1d92-4b5c-84a1-d4f0125294d0` Second request: ``` POST /api/transaction/confirm HTTP/1.1 {"account_transaction_uuid":"ab18d86f-1d92-4b5c-84a1-d4f0125294d0","pin":"123abc"} ``` Is that possible with Macros? Because I think it can only handle parameters. Is that possible with any other Burp only methods? Or do I need an extension? How would you do it? Thank you very much! Best regards S

Sufijen | Last updated: Oct 15, 2020 11:57AM UTC

Forgot to tell you about some of the requests headers: There are "Authorization" and Signature headers. So I also need to copy some headers from the first/origin request

Uthman, PortSwigger Agent | Last updated: Oct 15, 2020 12:20PM UTC

Hi, In general, this is possible in Burp using Macros and Session Handling Rules. These are available under Project options > Sessions. The example you have mentioned should be achievable using the Custom Parameter Handler extension (https://portswigger.net/bappstore/a0c0cd68ab7c4928b3bf0a9ad48ec8c7). Can you take a look at this and let me know how you get on?

Sufijen | Last updated: Oct 19, 2020 12:34PM UTC

I honestly don't understand how to use the extension. I will code a cli tool first to solve that issue quickly and maybe come back to the extension later

You need to Log in to post a reply. Or register here, for free.