Appsec

Custom Iterator

  1. In Mutillidae, go to the login page by clicking on "Login/Register" link.

  2. Ensure Burp is in intercept mode.

  3. Click on "Please register here" link.

4. Intercept the request and send it to Intruder.

5. In "Intruder" > "Positions" tab, mark all positions where user input is expected.

6. We intend to create unique users with user names like user_1, user_2, user_3, and so on. Navigate to the Payloads sub-tab.

7. Select the payload set corresponding to username field.

8. Select payload type as Custom Iterator.

9. Select Position as 1 and enter the static text user for position 1.

10. Enter _ (i.e., underscore) as the separator for position 1.

11. Select Position as 2 and load a list of distinct values, say, numbers starting from 1 till 20.

12. Navigate to the Options sub-tab. In Grep - Extract section, click on Add button.

13. Click on Refetch response, and highlight the text that needs to be extracted from each of the server responses.

14. Start the attack.

PreviousTrigger Attack & Save ResultsNextNull Payload

Last updated