Custom Iterator

1. In Mutillidae, go to the login page by clicking on "Login/Register" link.

   

2. Ensure Burp is in intercept mode.

3. Click on "Please register here" link.

4. Intercept the request and send it to Intruder.

5. In "Intruder" > "Positions" tab, mark all positions where user input is expected.

6. We intend to create unique users with user names like user_1, user_2, user_3, and so on. Navigate to the Payloads sub-tab.

7. Select the payload set corresponding to username field.

8. Select payload type as Custom Iterator.

9. Select Position as 1 and enter the static text user for position 1.

10. Enter _ (i.e., underscore) as the separator for position 1.

11. Select Position as 2 and load a list of distinct values, say, numbers starting from 1 till 20.

12. Navigate to the Options sub-tab. In Grep - Extract section, click on Add button.

13. Click on Refetch response, and highlight the text that needs to be extracted from each of the server responses.

14. Start the attack.