Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

How Do I: Tell Intruder that a particular field must be unique for every request?

Felix | Last updated: May 25, 2017 01:09PM UTC

Hey, I have a web app that has an "Add User" feature. The form submission includes lots of details (about 150) and one of the fields submitted is the "Username" field. I have used the pitchfork attack type and this sort-of works. Unfortunately, it seems to mean that I have to test every single field other than the username individually. I also like using the Intruder to narrowly target my active scans as it can more easily pick things up like time-based injection issues. Whilst I have completed the work on this web app test, it would be nice to know how to make it more efficient in the future. Is there a way of doing this that I don't know about? Thanks!

PortSwigger Agent | Last updated: May 25, 2017 02:22PM UTC

There isn't currently a way to make Intruder put a different value in each request other than by assigning it a payload position and using a suitable payload generator. A workaround would be to write a short extension that registers a session handling action that sets a random (or incrementing) value in the parameter. You can then issue the request using any Burp tool (Scanner, Repeater, etc.) and the session rule will automatically update the value to something new.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.