Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Upstream Server Proxy only allow 1 request via Intruder for the whole payload

Chim | Last updated: Oct 24, 2023 10:05PM UTC

I am testing to see how Upstream Server Proxy work. Therefore, I created a session Rule to run 2 macros Request at https://ipinfo.io/ip, and https://httpbin.org/ip. For the upstream server, I set up to have a rotating IP address for each request. When running the Repeater Tab with Request at https://ipinfo.io, I noticed that the IP address stay the same for all Requests within Macros. Only the Request for Repeater would change the IP address. However, when running via Intruder Payload, all IP addresses thru out the Macros and Intruder Payload are staying the same. Which mean that the first Request from Macros went thru Upstream Server Proxy and update the new IP addresses. The rests of the Request would have the same IP addresses as the first Request from Macros. This would fine to each session to have the same IP addresses. However, when a new payload started the Intruder need to revisit the Upstream Server to have an updated IP address. Is this a bug? I tried to test out this scenario by open a Temporary Project to test it out and the result are the same. Please advise how can I have the Intruder to route back to Upstream Server again for each payload.

Hannah, PortSwigger Agent | Last updated: Oct 25, 2023 04:49PM UTC

Hi In your Intruder attack > Settings panel, do you have HTTP/1 connection reuse enabled? If you disable this, does the behavior change?

Chim | Last updated: Oct 25, 2023 08:40PM UTC

I already disabled this and the behavior is still the same. You can test it out.

Hannah, PortSwigger Agent | Last updated: Oct 26, 2023 03:19PM UTC