You can use Burp Intruder to perform many kinds of tasks, including enumerating identifiers, harvesting useful data, and fuzzing for vulnerabilities. It can be used to test for flaws such as SQL injection, cross-site scripting, buffer overflows and path traversal; perform brute force attacks against authentication schemes; manipulate request parameters; trawl for hidden content and functionality; exploit session token predictability; mine for interesting data; and perform concurrency attacks and application-layer denial-of-service attacks. For a detailed discussion of the kinds of attack that can be performed using Burp Intruder, see Chapter 13 of The Web Application Hacker's Handbook.

Key features include:

• Highly configurable algorithms for generating malicious HTTP requests.
• Large number of built-in attack "payloads".
• Tools for generating customised attack vectors, based on character sequences, substitution, malformed encoding, brute forcing, enumerated tokens, etc.
• Full integration with other Burp Suite tools.
• Customisable tests for anomalous or interesting server responses.
• Detailed capture of results.
• IDS evasion and DoS mode.
• Support for proxy servers, and authentication using basic, NTLM and digest types.
• Runs in both Linux and Windows.

New features in version 1.3 include:

• Improved analysis and rendering of HTTP requests and responses.
• Ability to follow 3xx redirects during an attack.
• Support for custom client SSL certificates.
• Payload grep option can match on pre-encoded payload values.

Burp Intruder is part of the Burp Suite of web application hack tools. For examples of Burp Intruder in action, see the screenshots, or for detailed information about the configuration and execution of Burp Intruder, see the help file.