Bitcoin Core: what happens if an intruder modifies the scriptSig to get the same hashMerkleRoot from a block?

I guess you mean scriptPubKey In the exits of the coinbase transaction.

Assuming that what you are describing is popularly known in cryptography as a collision. If you can find two different texts in such a way that they both produce identical hashes, then you will have a collision. If you change the scriptPubKey in the output of the coinbase transaction, assuming no collision occurs, the txid and therefore change the merkleroot, which in turn would change the block header hash.

The SHA-256 algorithm generates 32 bytes, which means that there is a total of 2 ^ 256 (or 10 ^ 77 combination). SHA256 is a one-way mathematical function, as a result, you will have to use brute force to produce hash similar to the previous one. Executing that type of brute force is not only computationally impossible, but also impossible due to the energy it consumes (verify this).

web application – How do I extract the data from the response and use it in the URL for the next request in Burp Intruder?

URL = https://www.example.com/send?session=abcabcabc

When the previous url is requested, an answer comes with < a > tag that contains a new URL with different session values ‚Äč‚Äčlike: https://www.example.com/send?session=xyzxyzxyz

As you can see, the value of the session has changed and has changed in each request.

So, my question is, how can I use the Burp intruder to make repeated requests?

The workflow must be:

Burp> request sent> get response> take url or response session value> send request with session value updated in url> loop continues.