Burp Suite User Forum

Create new post

Sequencer: Token generation requires two requests

Garth | Last updated: Apr 20, 2023 07:49PM UTC

I would like to analyse token generated for a client's API. However their token generation mechanism requires a POST followed by a GET. The GET has the token embedded in the response body. Sequencer appears to be able to add multiple requests to the "Select Live Capture Request". However it treats each request individual anticipating that the token will be in each response. Is there a way in Sequencer to chain requests and then extract the token from the response in the final request? Otherwise my alternative is to bash script something to generate a file of tokens for import to sequencer.

Hannah, PortSwigger Agent | Last updated: Apr 21, 2023 01:33PM UTC

Hi Have you had a look at using session handling rules in Sequencer? You can use these to run a macro for your request and extract the token.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.