Request feature - Response timeout

[Pyvonix]

Hi PortSwigger team,

I propose the add a response's keyword: timeout as boolean value to know when the request didn't get a respond from the server for vulns like DOS.

Thank you.

[Hannah-PortSwigger]

Thanks for the feedback! We've raised this as a feature request to be discussed further.

[Hannah-PortSwigger]

This is a similar feature request to #32 and #72

[Pyvonix]

Hi @Hannah-PortSwigger,

No, this feature is not about the time it takes to make a request (as explain in #32 ).

This enhancement is to provide a boolean to know when a request raises the TimeoutException or not.

Use case:

• my BCheck made a request,
• it DOS the backend/server,
• then, I never receive any response.

Who could I know my rule successfully works?
The sent request will not have any response, so I will not be able to trigger any finding.

This is not the same usage than #32, which expected to test sql time based injection.

[Michelle-PortSwigger]

I'll check with the team exactly which scenarios the feature request here would cover. For example, whether it will cover cases where there is no response from the server as well as delayed responses. I'll be in touch soon with an update.

[Michelle-PortSwigger]

Hi

I've checked with the team this morning, and we do have both scenarios covered in the feature requests we have created for further discussion and are monitoring here. I'll leave this open for now to make it clearer that both enhancements have been logged.

[Pyvonix]

Thank you,

Waiting to see the new feature to tell you if it covers this usage.