Burp Intruder inaccurate received and completed response time
In Intruder, in order to execute blind sql injection, I selected the Received time from the columns menu in intruder attack window. While executing the attack, I noticed that the response times are not correct after the "TRUE" condition is met.
For example, if the password length is 6, testing for something like LENGTH(password)=? with a list of numbers from 1 to 10 and a sleep time of 5 seconds, the received time is seems correct up to 6, showing more or less 100ms for each request.
But after the TRUE condition, which is 6, the received time of the 7,8,9 and 10 payloads is approximately 10 seconds, which is wrong.
Only the 6 payload should have a received time of 10s.
Overall execution takes less than 11 seconds.
Thanks for this report. Could you send us a screenshot displaying this issue to firstname.lastname@example.org.