Burp Suite User Forum

Login to post

Turbo Intruder with Session Handling Rules

404 | Last updated: Nov 04, 2022 11:44AM UTC

Hello to all, I'm trying to learn turbo intruder. I created session handling rules for 2FA lab to get CSRF tokens like: get /login post /login post /login2 every time I use repeater or intruder my session handling rules are working but if I try to use turbo intruder handling rules are bypassed and every request's csrf token is same with first request. I tried to use engine=Engine.BURP but that still didn't work. Here is my code, please help me. ----------------------------CODE------------------------------- def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=1, engine=Engine.BURP ) for word in range(0,9999): mfacode = '{0:04}'.format(word) engine.queue(target.req,mfacode.rstrip()) def handleResponse(req, interesting): # currently available attributes are req.status, req.wordcount, req.length and req.response if req.status != 404: table.add(req)

Ben, PortSwigger Agent | Last updated: Nov 04, 2022 01:49PM UTC

Hi, Are you able to confirm how you have setup the scope of your session handling rule?

You need to Log in to post a reply. Or register here, for free.