Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Intruder

Santosh | Last updated: Apr 10, 2019 06:05AM UTC

I have an Oauth Application if I use Intruder for Cluster Bomb attack on specific page of my application , wanted to check how to run intruder without application session getting timed out if intruder is running for longer duration , is there a provision for Intruder to refresh the session when request gets timed out using expired tokens.

PortSwigger Agent | Last updated: Apr 10, 2019 10:00AM UTC

This is possible, using session handling rules. There's some information here: - https://support.portswigger.net/customer/portal/articles/2363088-configuring-burp-s-session-handling-rules If the application authorizes users with a bearer token in a header, this can't be done with Burp's built-in session handling rules, although the Custom Parameter Handler extension allows this.

Burp User | Last updated: Apr 11, 2019 10:06AM UTC

This is what I need and configured so far 1. After my Intruder PUT HTTP requests starts getting HTTP/1.1 Unauthorized Response I have configured a Rule 1 with Rule Actions : "Check session is valid" 2. Under " Check session is valid" I have Added a Macro to validate session ---> In this have added the PUT request I use in the Intruder Under "Inspect response to determine session validity" ---> In this have checked Locations : HTTP headers and Response body : to Look for expression "401 Unauthorized" Now checked "if session is invalid", perform action below ---> Here I select "Run a macro" I have added a macro HTTP POST request with username and password to authenticate to the application 3. Now my problem is how to retrieve the "access token" send through the above POST response and use the access token in the HTTP Header Authorization : Bearer "access-token should be placed here" in this format in the subsequent PUT request run through Intruder attacks when 401 Unauthorized is first seen 4. I have Customer Parameter Handler installed and would need steps on how to include and configure CPH when "After running the macro ,invoke a Burp extension action handler " is checked

Liam, PortSwigger Agent | Last updated: Apr 11, 2019 10:34AM UTC

Have you checked out the document on the github page? https://github.com/portswigger/custom-parameter-handler If you have any further queriers regarding the extension we would suggest contacting the author.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.