My issue is that I am attempting to fuzz a 2 stage login for a custom webapp.
What I need to do is GET for the initial page which will provide me with an anti-csrf token and a sessionID.
From there I POST a username who's response will provide me with another token
That second token will be used in the final POST along with the anti-csrf token and sessionID to submit the password to the server. The username is only linked to the second POST through the second token which is tracked at each login attempt so a new one is required at each login attempt.
Ideally I would like to fuzz both POST's in a chain using intruder, but will settle for a macro chain that will allow parameters from the GET and first POST to be passed to intruder at which point the password field will be fuzzed and submitted to the server.
I've done some research on burp macros and it seems like it should be possible, although unorthodox for their normal use. The issue I'm having is with the extraction and passing of the parameters to intruder.
Any help would be greatly appreciated, thank you.