PROFESSIONAL

Fuzzing for vulnerabilities

  • Last updated: January 27, 2023

  • Read time: 1 Minute

You can use Burp Intruder to identify input-based vulnerabilities by analyzing the attack results for error messages and other exceptions.

Related pages

For more information on input-based vulnerabilities, see:

Given the size and complexity of today's applications, manually fuzzing for vulnerabilities is a time-consuming process. You can automate the process with Burp Intruder.

Step 1: Set the payload positions

Set payload positions at the values of all request parameters.

Step 2: Set the payload type

Select the simple list payload type, then configure the payload list.

You can use your own list of attack strings, or one of Burp's predefined payload lists of common fuzz strings. For more information, see Predefined payload lists.

Setting payloads for fuzzing

Step 3: Set the match grep

Configure the Grep - Match option to flag responses that contain various common error message strings. For more information on this option, see Burp Intruder options.

You can use your own expressions, or use the default items.

Fuzzing grep match

Step 4: Analyze the results

Sort the attack results by the match grep expressions to identify any results with the common error message strings.

Intruder grep match fuzzing

Note

To test a large number of requests with the same payloads and match grep configuration, you can save or copy the tab's configuration. For more information, see Configuring Burp Intruder attacks.

Was this article helpful?