Burp Suite, the leading toolkit for web application security testing

Using Burp Intruder

Burp Intruder is a tool for automating customized attacks against web applications. It is extremely powerful and configurable, and can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities.

How Intruder Works

Burp Intruder works by taking an HTTP request (called the "base request"), modifying the request in various systematic ways, issuing each modified version of the request, and analyzing the application's responses to identify interesting features.

For each attack, you must specify one or more sets of payloads, and the positions in the base request where the payloads are to be placed. Numerous methods of generating payloads are available (including simple lists of strings, numbers, dates, brute force, bit flipping, and many others). Payloads can be placed into payload positions using different algorithms. Various tools are available to help analyze the results and identify interesting items for further investigation.

Typical Uses

Burp Intruder is a very flexible tool and can help automate all kinds of tasks when testing web applications. The most common use cases for Intruder fall into the following categories:

For a further discussion of the kinds of attacks that can be performed using Burp Intruder, see The Web Application Hacker's Handbook (chapter 13 in the first edition, and chapter 14 in the second edition).

Enumerating Identifiers

Web applications frequently use identifiers to refer to items of data and resources; for example, usernames, document IDs, and account numbers. Often, you will need to cycle through a large number of potential identifiers to enumerate which ones are valid or worthy of further investigation. To do this in Burp Intruder, you need to perform the following steps:

Some examples of real-world attacks of this type are as follows:

Harvesting Useful Data

In many situations, rather than simply identifying valid identifiers, you need to extract some interesting data about each item, to help you focus your efforts on the most critical items, or to feed in to other attacks. To do this in Burp Intruder, you need to perform the following steps:

Some examples of real-world attacks of this type are as follows:

Fuzzing For Vulnerabilities

Many input-based vulnerabilities, such SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters, and analyzing the application's responses for error messages and other anomalies. Given the size and complexity of today's applications, performing this testing manually is a time consuming and tedious process.

You can automate web application fuzzing with Burp Intruder, using the following steps:

Note: When fuzzing, you will typically want to test a large number of requests using the same Intruder payloads and match grep configuration. To facilitate this, you can use the Intruder menu to configure the "New tab behavior" option to "Copy configuration from last tab". Then, when you have configured your payloads and grep strings for one request, subsequent requests that you send to Intruder will pick up the same configuration options within their tab. To fuzz multiple requests, you then simply need to send each one to Intruder, and choose "Start attack" from the Intruder menu.

Configuring an Attack

The main Intruder UI lets you configure multiple attacks simultaneously, each in its own tab. When you send requests to Intruder, each one is opened in its own numbered tab. Each attack configuration tab contains several sub-tabs that are used to configure the attack. Use the links below for help on the details of each tab:

The easiest way to create a new Intruder attack is to select the relevant base request within another Burp tool (such as the Proxy history or Target site map), and use the "Send to Intruder" option on the context menu. This will create a new attack tab, and automatically populate the Target and Positions tabs with the relevant details about the base request. You can then modify the automatic payload positions if required, and configure suitable payloads and other attack options.

Burp Intruder has a number of functions to help you manage attack configurations. These functions are available via the Intruder menu:

The attack tabs themselves are easy to manage. You can:

Launching an Attack

When your attack is fully configured, you can launch the attack by selecting "Start attack" from the Intruder menu.

Each attack runs in a new window, containing detailed results, with full requests and responses (if configured). There are various functions to help you analyze the results, and identify interesting items for further investigation. You can:

User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Monday, July 28, 2014


This release includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including DOM-based XSS, JavaScript injection, Client-side SQL injection and several other vulnerability types.

See all release notes ›

Copyright © 2014 PortSwigger Ltd. All rights reserved.