Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Ability to view the delay of a response in a column (Intruder)

Cristiano Maruti Jan 26, 2015 01:20PM UTC

May be very useful while testing for time based injection (sql, command, aso) to see the delay of a response returned by the remote webserver.


Dafydd Stuttard Jan 26, 2015 01:54PM UTC Support Center agent

This information is already captured, but is hidden by default! You can turn it on using the Columns menu, and select “Response received” / “Response completed”.


cmaruti Feb 02, 2015 10:41AM UTC
Yeah indeed, but will be more useful to have a single column with the computed delay value

Dafydd Stuttard Feb 02, 2015 11:25AM UTC Support Center agent

The two timers contain different information – the time taken for a response to start and finish, respectively. Some time-based attacks cause a delay before a response starts (if the whole server-side logic is executed first) while some cause a delay while the response is already being streamed (e.g. if the headers are sent first, and then some further server-side processing happens on your input). So we definitely wouldn’t want to have a single column with only one of these bits of information.

By “computed time delay”, do you mean the difference between the current item’s timer and the base response timer? Since this would simply mean subtracting a fixed value from every row in the table, I don’t see that this would be any more useful than reporting the actual response times.


Cristiano Maruti Feb 05, 2015 04:28PM UTC
make sense; now the logic behind the values reported in the two column is more clear to me. thanks

Post Your public answer

Your name
Your email address
Answer