Getting Started With Burp Intruder
Burp Intruder is a powerful tool for performing automated customized
attacks against web applications. It is extremely flexible and configurable,
and can be used to automate all kinds of tasks that arise when testing
Note: Using Burp Intruder may result in unexpected
effects in some applications. Until you are fully familiar with its
functionality and settings, you should only use Burp Intruder against
To start getting to know Burp Intruder, carry out the following steps:
- First, ensure that Burp is
installed and running,
and that you have configured
your browser to work with Burp.
- If you have not done so already, browse around some of your target
application, to populate Burp's Target site map with details of the
application's contents and functionality. Before doing so, to speed
things up, go to the Proxy tab, then the Intercept sub-tab, and turn off
Proxy interception (if the button says "Intercept is on" then click it
to toggle the interception status to off).
- Go to the Proxy tab, and the History sub tab. Find an
interesting-looking request to your target application, containing a
number of parameters. Select this single request, and choose "Send to
Intruder" from the context menu.
- Go to the Intruder tab. Burp Intruder lets you configure multiple
attacks simultaneously. Each request that you send to Intruder opens in
its own attack tab, and these are sequentially numbered by default. You
can double click a tab header to rename the tab, drag tabs to reorder
them, and also close and open new tabs.
- Within the Intruder attack tab that was created for the request that
you sent, look at the Target and Positions tabs. These have been
automatically populated with the details of the request that you sent.
- Burp Intruder essentially works by taking a base template request
(the one that you sent there), cycling through a number of attack
payloads, placing these payloads into defined locations within the base
request, and issuing each resulting request. The Positions tab is used
to configure the positions where payloads will be inserted into the base
request. You can see that Burp has automatically made a guess at where
you would like to position payloads. By default, payloads are placed
into the values of all request parameters and cookies. Each pair of
payload markers defines a single payload position, and may enclose some
text from the base request, which will be replaced with the contents of
the payload when that payload position is used. For further details, see
the Payload Markers help.
- The buttons next to the request editor can be used to add and clear
the payload markers. Try adding payload markers in new locations within
the request, and removing other markers, and see the effects. When you
have understood how the payload markers work, click the "Auto §" button
to revert to the default payload positions that Burp configured for you.
If you have modified the text of the request itself, you
can repeat step 3 to create a new Intruder attack tab with the original
request in it.
- Go to the Payloads tab. This lets you define the payloads that will
be placed into the defined payload positions. Keep the default setting
(to use a "Simple list" of payloads), and add some test strings to the
list. You can enter your own strings by typing into the "Enter a new
item" box and clicking "Add". Or you can use the "Add from list"
drop-down and choose "Fuzzing - quick" from the list of built-in payload
strings [Pro version].
- You have now configured the bare minimum of options to launch an
attack. Go to the Intruder menu, and select "Start attack".
- The attack opens in a new window containing a table in the Results
tab. The results table contains an entry for each request that has been
made, with various key details such as the payload used, HTTP status
code, response length, etc. You can select any item in the table to view
the full request and response. You can also sort the table by clicking
on column headers, and filter the contents of the table using the filter
bar. These features work in the same way as for the
- The attack window contains other tabs, which show the configuration
that was used for the current attack. You can modify most of this
configuration after the attack has started. Go to the Options tab,
scroll down to "Grep - Match", and check the box "Flag result items with
responses matching these expressions". This will cause Intruder to
responses for items matching each expression in the list, and flag those with matches.
By default, the list shows some common error strings that are useful
when fuzzing, but you can configure your own strings if you wish. Go
back to the Results tab and see that Intruder has added a column for
each item in the list, and these contain checkboxes indicating whether
the expression was found in each response. If you are lucky, your basic
fuzzing might have triggered an error message in some responses that
indicates the presence of a bug.
- Now select any item in the table and look at the response for that
item. Find an interesting string in the response (such as the page
title, or an error message). Right-click the item in the table, and
select "Define extract grep from response" from the context menu. In the
dialog, select the interesting string in the response, and click "OK".
The results table now contains a new column which extracts this piece of
text from each response (which may be different in each case). You can
use this feature to locate interesting data in large attacks with
thousands of responses. Note that you can also configure "extract grep"
items in the Options tab, prior to or during an attack.
- Select any item in the results table, and open the context menu.
Choose "Send to Repeater", and go to the Repeater tab. You will see the
selected request has been copied into the Repeater tool, for
further testing. Many other useful options are available on the context
menu. For more details on sending items between Burp tools,
and the overall testing workflow, see
Using Burp Suite.
- You can use the "Save" menu in the results window to save either the
results table or the entire attack. You can load the results table into
other tools or a spreadsheet program. You can reload saved attacks via
the Intruder menu on the main Burp UI.
- These steps have only described one simple use case for Burp
Intruder, for fuzzing a request with some standard attack strings and
grepping for error messages. You can use Intruder for many different
types of attack, with numerous different payloads and attack options.
For more details, see Typical Uses
for Burp Intruder.
Use the links below for further help on starting to use Burp Intruder:
Thursday, March 12, 2015
This release contains various bugfixes and minor enhancements, including:
- In the site map table, the "Method" column previously always showed GET for requests without a body, and POST for requests with a body, even if the actual method was different. This bug has now been fixed and the table shows the correct method.
- A bug which prevented client SSL certificates from being used when an upstream proxy is configured has been fixed.
- A bug which caused Decoder to fail to decode hex number HTML entities containing an upper-case X has been fixed.
See all release notes ›