Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp Intruder inaccurate received and completed response time

Paulo Jul 25, 2019 09:28AM UTC

In Intruder, in order to execute blind sql injection, I selected the Received time from the columns menu in intruder attack window. While executing the attack, I noticed that the response times are not correct after the "TRUE" condition is met.

For example, if the password length is 6, testing for something like LENGTH(password)=? with a list of numbers from 1 to 10 and a sleep time of 5 seconds, the received time is seems correct up to 6, showing more or less 100ms for each request.

But after the TRUE condition, which is 6, the received time of the 7,8,9 and 10 payloads is approximately 10 seconds, which is wrong.

Only the 6 payload should have a received time of 10s.

Overall execution takes less than 11 seconds.


Liam Tai-Hogan Jul 26, 2019 09:43AM UTC Support Center agent

Thanks for this report. Could you send us a screenshot displaying this issue to support@portswigger.net.


Post Your public answer

Your name
Your email address
Answer