Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Building a Burp Intruder extension that generates multiple payloads for a single request.

James | Last updated: May 11, 2016 06:44AM UTC

I'm working on a Burp Intruder extension for pen-testing our own custom API. As part of the protocol, a HMAC is generated by the client and added to the header, along with another custom header parameter. The body contains a number of JSON fields, the values of which are also used in the HMAC. I need to generate the HMAC from the JSON body and the custom header parameter for each request, as they're dynamic. Is there a way with Intruder to generate multiple payloads for different positions to be included in a single request?

PortSwigger Agent | Last updated: May 11, 2016 07:12AM UTC

You can use the pitchfork and cluster bomb attack types in Intruder to use different payloads at different positions in the same request. However, it sounds like the easiest way to deal with this situation would be to make an extension that takes a request that Burp has generated, and fix up the HMAC values based on the contents of the request. That way, Burp's tools don't need to know about the custom headers, and your extension can be applied to requests generated by any of Burp's tools (Proxy, Repeater, etc.). You could make your extension work by registering an IHttpListener or via a custom session handling action.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.