Stepper icon indicating copy to clipboard operation
Stepper copied to clipboard

Published 20 hours ago verified publisher icon CoreyD97

Call Sequence after Request

Open er4z0r opened this issue 3 years ago • 3 comments

First of: Thank you Corey for this great extension. Adding to Logger++ that's two missing features in Burp that you have provided great implementations for.

I was wondering if there is a way to call a sequence after a having made a request (similar to a post-request macro). My use case: I would like to fuzz a specific step in a sequence. I can already execute the sequence of steps leading up to this one using the X-Stepper-Execute-Before Header, but as it is, I can only see the output of the submitted data in a final summary step of the sequence. So for detecting simple stuff like XSS I'd need to execute all steps up until step X and the all the following steps until the end.

Is there a way to do this with Stepper as it is now or would that require a new feature?

er4z0r avatar Jul 14 '21 15:07 er4z0r

Thank you for your comment, I appreciate it! :)

There's not a way to achieve this at the moment, but is something I can definitely implement. Unfortunately though, the only way to view the output of the post-request sequence would be to manually navigate to the sequence once the request containing the X-Stepper-Execute-After header is executed, or use Logger++ to view the output. Would an implementation like this be okay?

CoreyD97 avatar Jul 14 '21 16:07 CoreyD97

Well if compared to not having that capability at all, I think it would def. be an option, when used in combination with repeater. Using it in combination with intruder or even scanner would not be possible that way though, right?

I guess the perfect thing to happen would be for Portswigger to do the same as they did with Logger++/Flow: Recognize it is a missing feature and add it to the core of Burp based on the user experience you have created with Stepper :)

Until that happens, the X-Stepper-Execute-After with the above caveats may be a good thing

er4z0r avatar Jul 14 '21 17:07 er4z0r

Would be nice to mention "X-Stepper-Execute-After" (and X-Stepper-Execute-Before) in the ReadMe. Those are very helpful. Also it would be nice to have those changes in the portswigger-fork of your project, since they are missing some recent changes 😑

Anyways, thanks for your work, I really like it.

si90 avatar Mar 06 '24 09:03 si90