Burp Suite User Forum

Create new post

Test application with random parameter names

Krzysztof | Last updated: Jan 08, 2016 08:12AM UTC

If there is any possibility in Burp to use Intruder or Scanner to test an application which sends in each request random parameter names? Application works in this way, for each page: - generates parameter names, I see them in html source, - when I click, sends POST request with generated parameters, - invalidates old parameter names, when i try repeat request with the same parameter names I have an error I can read parameter names in custom parameter locations but they will be used as parameter value for constantly named parameters.

PortSwigger Agent | Last updated: Jan 08, 2016 09:24AM UTC

There isn't currently a neat way to deal with this situation using Burp's native capabilities. You could write an extension to deal with this in two possible ways: (a) Register an IHttpListener to get access to all requests and responses via Burp. Monitor responses to spot the new names, remember these, and update them in the next request. This would only work for single-threaded tasks, but it's possible that you can only access this app in a single threaded way anyway, depending on how it validates/expires the names. (b) Create a session handling rule that runs a macro to obtain a response with a new set of names, and register a custom session handling action that pulls the names from the macro response and updates them in the current request.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.