Guessing passwords with Burp Suite

  • Last updated: March 17, 2023

  • Read time: 2 Minutes

You can use Burp Intruder to insert a list of possible passwords into a login failure message, after you've identified valid usernames. This enables you to identify valid passwords, which can be used to gain unauthorized access to the application.

Before you start

Identify a valid username. For more information, see Enumerating usernames with Burp Suite.


You can follow along with the process below using our Username enumeration via subtly different responses lab. If you're using the lab, make sure you use the list of passwords included in the lab instructions.

You can use Burp Intruder to guess passwords:

  1. Identify a failure message for a password-based authentication mechanism, using a valid username. Send the request to Burp Intruder.
  2. Go to the Intruder tab and click Clear § to remove the default payload positions.
  3. Highlight the password value and click Add § to mark it as a payload position. Make sure that you're using a valid username.

    Add a password payload position
  4. Go to the Payloads tab. Under Payload settings [Simple list] add a list of passwords that you want to test.

  5. Go to the Settings tab. Under Grep - Match, select Flag result items with responses matching these expressions. When you start the attack, Intruder identifies messages that include the expressions in the list. You can use the default list of expressions or add your own.
  6. Add an extract grep for sections of interest in the response.

    1. Under Grep - Extract, select Add. The Define extract grep item dialog opens.
    2. Highlight the section in the response that you want to extract, such as an error message.
    3. Click OK. The item is added to the list. When you start the attack, Intruder will extract the text at this location in each response and display it on the results table.
  7. Click Start attack. The attack starts running in the new dialog. Intruder sends a request for each password in the list.
  8. When the attack is finished, study the responses to look for any behavior that may indicate a valid password. For example, look for any anomalous error messages, response times, or status codes. In the example below, one of the requests has received a 302 response.

    Reviewing attack results
  9. To investigate the contents of a response in detail, right-click and select Send to Comparer (response). Do the same for the original response.
  10. Go to the Comparer tab. Select the two responses and click Words or Bytes to compare the responses. Any differences are highlighted.

Was this article helpful?