Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Run multiple JSON Requests as Macro

Sufijen | Last updated: Oct 15, 2020 11:21AM UTC

Hi, I hope you can help me find an easy way to do what I plan to do. I personally tried Macros, Turbo Intruder and I started to create an extensions which leaves some open questions. But let me first describe my problem: In general, I want to run a "playbook" (multiple requests) in the intruder. This should run multi-threaded. I plan to run it in 10 threads with 1000 repetitions as fast as possible. What happens: 1. Send a json request to start a transaction 2. Take the transaction id from json response 3. Send a new json request to another endpoint to confirm the transaction First request: ``` POST /api/transaction/start HTTP/1.1 {"recipient":"Foo Bar","iban":"XXXXXXXX","bic":"YYYYYY","subject":"ZZZZZZZZ","amount":"0.03","accountnumber":"PPPPPPPPPPPP"} ``` First response: ``` HTTP/1.1 200 OK Server: nginx Date: Thu, 15 Oct 2020 07:55:34 GMT Content-Type: application/json Connection: close Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Content-Length: 101 {"account_transaction_uuid":"ab18d86f-1d92-4b5c-84a1-d4f0125294d0"} ``` The transaction id for the second payload: `ab18d86f-1d92-4b5c-84a1-d4f0125294d0` Second request: ``` POST /api/transaction/confirm HTTP/1.1 {"account_transaction_uuid":"ab18d86f-1d92-4b5c-84a1-d4f0125294d0","pin":"123abc"} ``` Is that possible with Macros? Because I think it can only handle parameters. Is that possible with any other Burp only methods? Or do I need an extension? How would you do it? Thank you very much! Best regards S

Sufijen | Last updated: Oct 15, 2020 11:57AM UTC

Forgot to tell you about some of the requests headers: There are "Authorization" and Signature headers. So I also need to copy some headers from the first/origin request

Uthman, PortSwigger Agent | Last updated: Oct 15, 2020 12:20PM UTC

Hi, In general, this is possible in Burp using Macros and Session Handling Rules. These are available under Project options > Sessions. The example you have mentioned should be achievable using the Custom Parameter Handler extension (https://portswigger.net/bappstore/a0c0cd68ab7c4928b3bf0a9ad48ec8c7). Can you take a look at this and let me know how you get on?

Sufijen | Last updated: Oct 19, 2020 12:34PM UTC