Burp Suite User Forum

Create new post

Two-step Intruder attacks

Erik | Last updated: Sep 07, 2023 10:43PM UTC

I'm testing a site where a PUT is altering a record, but the site only returns 202 Accepted. In order to find out if each payload ends up intact, altered, or causes an error, a separate request has to be made to the corresponding GET endpoint. It would be helpful if there was a way to add a "validate" request that follows after, and have columns for the output length of those requests. Maybe even search for the payload in the 2nd response and alert if it's intact, altered, or missing.

Michelle, PortSwigger Agent | Last updated: Sep 08, 2023 08:22AM UTC

Hi How much information would you need to see from the initial PUT request in the Intruder results window? Would you just need to see the payload in the Intruder results column? If this would be enough, would using session handling rules to run a post request macro that sends the GET request help in your scenario? https://portswigger.net/burp/documentation/desktop/settings/sessions/session-handling-rules https://portswigger.net/burp/documentation/desktop/settings/sessions/session-handling-rules#run-a-post-request-macro I'm picturing setting up an Intruder attack based on the PUT request, then under Settings > Sessions > Session handling rules create a rule where the Scope is limited to your test URL and the Intruder tool and the rule action is 'Run post request macro'. In the options on this action, you can choose to pass the final response from the macro back to the invoking tool, which means that the request and response shown for each payload in the Intruder results would be the GET request.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.