Back to Practical Burp Suite
Text
60 min
Intruder: Automating Attacks (Responsibly!)
Learn to configure and run automated attacks like fuzzing and brute-forcing.

Intruder: Burp's Automated Attack Dog

Burp Intruder is a powerful tool for automating custom attacks against web applications. It's incredibly versatile and can be used for a wide range of tasks, from simple fuzzing to complex, multi-stage attacks. Think of it as a highly configurable robot that can send thousands of slightly different requests to a target.

When to Use Intruder:

  • Fuzzing for vulnerabilities: Testing for XSS, SQLi, path traversal by injecting various payloads into different parts of a request.
  • Brute-forcing credentials: Trying lists of usernames and passwords against a login form.
  • Enumerating identifiers: Discovering valid user IDs, order numbers, or other predictable resources.
  • Rate limit testing: Seeing how an application responds to a large number of requests in a short time.
  • Session token analysis (simple cases): Checking for predictable session tokens (though Sequencer is better for in-depth analysis).

Intruder Attack Types - Choose Your Weapon:

  1. Sniper:

    • Uses a single set of payloads.
    • Targets one payload position at a time. If you mark multiple positions, Sniper iterates through payloads for the first position, then the second, and so on.
    • Use Case: Fuzzing a single parameter, brute-forcing a password for a known username.
    • It's like a sharpshooter, taking one precise shot at a time.

  2. Battering Ram:

    • Uses a single set of payloads.
    • Targets all marked payload positions simultaneously, placing the same payload in all positions for each request.
    • Use Case: Testing if multiple parameters accept the same input (e.g., injecting the same XSS payload into username and comment fields).
    • Imagine trying to break down a door by hitting it with the same battering ram in multiple spots at once.

  3. Pitchfork:

    • Uses multiple sets of payloads (one for each marked payload position, up to 20).
    • For each request, it takes the next payload from each list simultaneously.
    • Use Case: Brute-forcing usernames and passwords where you have separate lists for each (e.g., payload_set_1[0] with payload_set_2[0], then payload_set_1[1] with payload_set_2[1]).
    • Think of farmers with pitchforks, each tine (payload list) working in parallel.

  4. Cluster Bomb:

    • Uses multiple sets of payloads (one for each marked payload position).
    • It iterates through all possible combinations of payloads from the different sets. This generates a lot of requests!
    • Use Case: When you need to test every combination of inputs across multiple parameters (e.g., trying every username with every password from your lists).
    • This is the carpet bombing approach – very thorough, but can be very slow and noisy.

Setting Up an Intruder Attack - The Basic Workflow:

  1. Send Request to Intruder: From Proxy, Repeater, or anywhere else in Burp, right-click the request and "Send to Intruder."
  2. Target Tab: Verify the target host and port.
  3. Positions Tab:
    • Burp automatically marks potential payload positions (e.g., parameter values). You can clear these (Clear §) and add your own (Add §).
    • Select your Attack Type (Sniper, Battering Ram, etc.).
  4. Payloads Tab:
    • Payload Sets: Configure your payload lists. You can use simple lists, character sets, numbers, dates, brute forcers, or even custom scripts.
    • Payload Processing: Apply rules to modify payloads before they are sent (e.g., URL encoding, adding prefixes/suffixes).
  5. Options Tab (Optional but Important):
    • Request Headers: Modify headers for all requests.
    • Request Engine: Control number of threads, retries, delays (CRUCIAL for not DDoSing the target or getting blocked!).
    • Grep - Match: Define strings or regex to look for in responses (e.g., "Login successful", "Error").
    • Grep - Extract: Extract data from responses using regex.
    • Grep - Payloads: Highlight responses containing submitted payloads.
  6. Start Attack! Monitor the results table. Sort by columns (e.g., length, status code, Grep matches) to find interesting responses.

Ethical Considerations: Intruder can generate a massive amount of traffic. Always ensure you have permission to test, understand the scope, and configure Intruder responsibly to avoid overwhelming the target application or network. Start with low thread counts and add delays if unsure!

PreviousNext