Brute-forcing a login mechanism using Burp Intruder
Last updated: January 19, 2022
Read time: 4 Minutes
Burp Intruder supports various attack types. Often, a task is achievable with more than one type of attack, but choosing the right one can save you a great deal of effort when conducting manual security testing.
In this tutorial, you'll learn how to use a Cluster bomb attack within Burp Suite to brute-force username and password fields simultaneously.
The Cluster bomb attack type may not be suitable for users of Burp Suite Community Edition - which lacks the full speed version of full speed version of Burp Intruder found in Burp Suite Professional.
What is a Cluster bomb attack?
The Cluster bomb attack type uses multiple payload sets, with a different payload set assigned to each defined position. It is useful for testing every possible permutation when an attack requires multiple different input values to be inserted in multiple places.
When using a Cluster bomb attack, the number of requests generated increases exponentially with the number of payloads defined. This means that this attack type is mainly used to iterate through relatively small data sets.
In this tutorial for example, a list of 101 usernames and 100 passwords generates a 10,100 request attack (101 * 100 = 10,100).
Brute-forcing a login using a Cluster bomb attack
While the following lab's original solution instructs you to use two separate Sniper type attacks in order to solve it, here we will solve it more easily by using a single Cluster bomb attack. This enables you to test both the username and password fields simultaneously.
Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.
Step 1: Open the lab
Open Burp's browser, and use it to access the following URL:
Click Access the lab and log in to your PortSwigger account if prompted.
Step 2: Intercept a login request
In the lab, click the My account link to open the login page.
Enter some sample data into the Username and Password fields to help you identify them later. Click the Log in button.
In Burp Suite, go to the Proxy tab, and click the HTTP history sub tab. Now you can see a list of the HTTP requests made by Burp's browser since you opened Burp Suite.
Find a request made with the Method
POST, for the URL
/login and click it.
Step 3: Forward your intercepted request to Intruder
Right click on the request you just selected, and click Send to Intruder.
Click the Intruder tab. Note that the request has been sent to Burp Intruder and now has payload positions (demarcated by § symbols) inserted at three points.
Step 4: Configure payload positions
To solve the lab, we only require payload positions for the username and password. Click Clear § to clear all positions.
Select the input data in the username field, and click Add § to mark it as a payload position.
Repeat this for the input data in the password field, so that both fields are marked.
Step 5: Configure and launch a Cluster bomb attack
From the Choose an attack type drop down, select Cluster bomb.
Click the Payloads tab. Note that Payload set is set to 1 and Payload type is set to Simple list.
Under Payload options [simple list], paste the list of candidate usernames into the box.
Change the Payload set to 2.
Under Payload options [Simple list], paste the list of candidate passwords into the box. Note that Request count has increased to 10,100.
Click the Start attack button.
Payload set defines the position into which a payload set is inserted. For example, if you have defined two payload positions within the request template, then payload set 1 is inserted into the first, and payload set 2 into the second.
Observe that Intruder creates requests combining each entry in payload set 1 with the first entry in payload set 2, before moving onto the next item in payload set 2 and repeating the process. It does this until it reaches the end of payload set 2.
Step 6: Analyze attack results to determine the correct username and password
Wait for your attack to finish running - this may take a few minutes, especially if you are using the throttled version of Burp Intruder that comes with Burp Suite Community Edition.
Click the header of the Status column to sort the list of responses by HTTP status code. Note that you may need to click this more than once.
Observe that where most requests have a
200 (OK) status code, one request has a code of
302 (Found). Make a note of the username and password used in this request - they are the correct login details to solve the lab. Note that this is unlikely to be the same combination shown in the screenshot below.
In the Proxy tab, ensure that Intercept is off.
In Burp's browser, return to the lab's Login page, and input the username and password you previously noted for the request with the
302 status code. Click Log in. This will solve the lab.
Summary and next steps
Congratulations - now you know how to configure a Cluster bomb attack in Burp Intruder to brute-force a simple login form more easily.
In practice, web applications often have robust countermeasures in place to thwart brute-forcing attempts. If you want to learn how to bypass some of these, then check out the Authentication topic in the Web Security Academy.