Analyzing Burp Intruder attack results
Last updated: October 6, 2021
Read time: 3 Minutes
This section contains an example of how you might analyze the results of a typical Burp Intruder attack.
When you launch a Burp Intruder attack, a new attack window will open and the attack will start running. There are various functions to help you analyze the results, and identify interesting items for further investigation. The attack opens in a new window containing a table in the Results tab. The results table contains an entry for each request that has been made, with various key details such as the payload used, HTTP status code, response length, etc. You can select any item in the table to view the full request and response.
You can also sort the table by clicking on column headers, and filter the contents of the table using the filter bar. These features work in the same way as for the Proxy history.
Use the context menu to carry out other actions and integrate with your testing workflow.
The attack window contains other tabs, which show the configuration that was used for the current attack. You can modify most of this configuration after the attack has started.
Go to the Options tab, scroll down to "Grep - Match", and check the box "Flag result items with responses matching these expressions".
This will cause Intruder to inspect responses for items matching each expression in the list, and flag those with matches. By default, the list shows some common error strings that are useful when fuzzing, but you can configure your own strings if you wish.
Go back to the Results tab and see that Intruder has added a column for each item in the list, and these contain checkboxes indicating whether the expression was found in each response. If you are lucky, your attack might have triggered an error message in some responses. During simple fuzzing, this might indicate the presence of a bug. Comparing whether different keywords are present in a response is also useful for brute-force attacks and username enumeration, for example.
Now select any item in the table and look at the response for that item. Find an interesting string in the response (such as the page title, or an error message). Right-click the item in the table, and select "Define extract grep from response" from the context menu.
In the dialog, select the interesting string in the response, and click "OK".
The results table now contains a new column which extracts this piece of text from each response (which may be different in each case). You can use this feature to locate interesting data in large attacks with thousands of responses. Note that you can also configure "extract grep" items in the Options tab, prior to or during an attack.
You can use the "Save" menu in the results window to save either the results table or the entire attack. You can load the results table into other tools or a spreadsheet program. You can reload saved attacks via the Intruder menu on the main Burp UI.