Hello,
This is the first time I've used the BurpSuite Intruder and I wanted to do a very simple brute force attack on a local DVWA instance. So I set up the proxy, received the GET request and sent it to the Intruder, where I processed the positions, which looked like this:
Code:
GET /dvwa/vulnerabilities/brute/?username=§aaa§&password=§bbb§&Login=Login HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.56.101/dvwa/vulnerabilities/brute/?username=aa&password=bb&Login=Login
Cookie: security=low; PHPSESSID=73bkkfotgpfijhnr30e7j12285; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada
Upgrade-Insecure-Requests: 1
If I now want to edit the 2 positions in the Payload - Tab, I can only select the username - position but not the password one:
I have tested 4 different Burp versions (
- Arch Linux 5.6.4: v2020_2_1 and 2_1_04
- Kali Linux 2020.1: v2.1.07
- Windows 10 17763: v2020_2_1
always in the Community edition).
I haven't (yet) set up/changed anything in the software, I just started it (Temporary Project -> Use Burp defaults).
Does anyone here know the error and a possible fix?