Token value replacement of burpsuite blasting

preparation

First of all, we need to build an experimental environment , The experimental environment we choose is DVWA. I believe many partners will encounter in penetration testing token Value different situations , So what we need to do is to use burpsuite The tool automatically gets the website generated token Value and blast

The recurrence process

First, let's visit DVWA Website , Check source code discovery , Just refresh the page every time ,token The value of will change


When we try to use burpsuite After direct bag grabbing blasting , Find all 302 Redirect , Obviously this will not work

So we need to Project Option Of Session Add autosnap on token The option to

Run a macro

Here we choose the beginning GET Requested page


Then edit this option , Add the option to automatically get that value



Here, select the field to update

Then enter Scope Options , add to URL Address


Then return to the brute force cracking module , Set variable values and load dictionaries , And choose always follow redirection Options


You can see that the password is password, Account No admin The response packet length of is obviously different

Check the contents of the response package and find that the explosion is successful