Burp Suite User Forum

Create new post

Update intruder request according to reponse

Michael | Last updated: Jan 07, 2018 11:41AM UTC

Hi All, I'm a burp newbie, sorry if this has been answered before. I am trying to use intruder to brute force a password reset function. The password reset functionality emails a 4 digit number to the email address specified, and then you are required to enter that 4 digit auth code with your new password. Problem is there is a token that changes if you enter the wrong 4 digit code 3 times. I was hoping to use Intruder to dynamically update the request as soon as the token changes. So if possible, it would send 3 attempts, then look for the new token, use the new token and then do another 3 requests with the new token and repeat. If anyone can understand what I'm after, are you able to advise if burp offers this kind of functionality? Or maybe I'm approaching it completely the wrong way. Any advise would help. Thank you

PortSwigger Agent | Last updated: Jan 08, 2018 08:12AM UTC

Hi Michael, Thanks for your message. Burp has Macros and Session Handling Rules to cope with this kind of scenario. There's some information here: - https://support.portswigger.net/customer/en/portal/articles/2363088-configuring-burp-s-session-handling-rules It's not straightforward to configure this to only fetch a token every three requests, but fetching a token every request should be relatively straightforward. There's a bit of a learning curve with this feature, but it's very powerful. Please let us know if you need any further assistance.

Burp User | Last updated: Jan 09, 2018 05:46AM UTC

Awesome thank you!!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.