PROFESSIONAL

Getting started with Burp Intruder

  • Last updated: May 17, 2022

  • Read time: 4 Minutes

Burp Intruder is a powerful tool for performing highly customizable, automated attacks against websites. It lets you configure attacks that send the same request over and over again, inserting different payloads into predefined positions each time. Among other things, this is useful for:

  • Fuzzing for input-based vulnerabilities.
  • Performing brute-force attacks.
  • Enumerating valid identifiers and other inputs.
  • Harvesting useful data.

The best way to understand how Burp Intruder works is to see it in action. We recommend following the tutorial below to launch your first Intruder attack.

For more detailed information about the features and attack types of Burp Intruder, please see the full documentation.

Tutorial

In this tutorial, you'll learn the basics of configuring a simple Intruder attack using one of the deliberately vulnerable labs on the Web Security Academy.

Step 1: Access the lab

Open Burp's browser, and use it to access the following URL:

https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses

Click Access the lab and log in to your PortSwigger account if prompted. This opens your own instance of a deliberately vulnerable blog website.

Step 2: Try to log in

Click My account, then try to log in using an invalid username and password.

Logging in with an invalid username and password

In Burp Suite, go to the Proxy > HTTP history tab. This shows all of the requests you have made in Burp's browser since opening it.

Find the POST /login request and send it to Burp Intruder.

Step 3: Set the payload positions

Go to the Intruder tab. Observe that there is now a tab displaying the POST /login request. We'll use this as the base request for our attack.

Notice that Burp Intruder has automatically inserted § characters in various positions throughout the request. These mark the beginning and end of a payload position, where Burp Intruder will attempt to insert payloads during the attack.

The unedited request

For this attack, we only need a single payload position in the username parameter. Click Clear § to clear the default positions

Highlight the value of the username parameter, then click Add §.

Request with payload marker

Step 4: Select an attack type

At the top of the screen, you can select different attack types. For now, just make sure this is set to Sniper.

The attack type menu with sniper selected

A Sniper attack inserts a single set of payloads, one by one, into one or more positions within the request.

Step 5: Add the payloads

You now just need to configure the list of payloads that you want to use. For this demonstration, we'll try sending the request with different usernames to test how the login mechanism behaves.

Copy the following list of candidate usernames:

Go to the Payloads sub tab.

Leave the Payload type set to Simple list.

In the Payload options section, click Paste to add the copied usernames to the list.

In the Payload sets section, you can see how many payloads you have added, and how many requests this attack will send. For this attack, you should see: Payload count: 101 / Request count: 101.

The payload sets loaded with usernames

Step 6: Start the attack

In the upper-right corner, click Start attack. This opens a new attack window in which you can see each of the requests that Burp Intruder is making.

If you select one of the entries in the table, you can view the request and response in the message editor. Notice that the username parameter contains a different value from our payload list in each request

Looking at the contents of a request

Step 7: Look for any irregular responses

The attack window contains several columns displaying key information about each response.

Wait for the attack to finish, then click the heading of the Length column to sort the results. As you can see, one of the responses is a different length.

The history table sorted by length

This difference in response from the server is worth further investigation.

Step 8: Study the response

Select any request from the list to display it in the message editor.

Studying the responses, notice that most contain an Invalid username error message, but the one with the different length response has an Incorrect password error message.

This different response strongly suggests that this username might be valid in this case.

Comparing the two different error messages

What next?

Now that you have a potentially correct username, the next logical step is to try to brute-force the password.

Try repeating this attack, using the username you have identified and this list of candidate passwords.

Brute forcing the password

You can view the complete solution to the lab here.

Learn more about Burp Intruder

You have now learned how to use a Sniper attack type against a single parameter.