Get involved in the Burp challenge for opportunities to test your skills and win swag  –   Challenge me


Brute-forcing a login mechanism using Burp Intruder

  • Last updated: November 25, 2022

  • Read time: 4 Minutes

Burp Intruder supports various attack types. Often, a task is achievable with more than one type of attack, but choosing the right one can save you a great deal of effort when conducting manual security testing.

In this tutorial, you'll learn how to use a Cluster bomb attack within Burp Suite to brute-force username and password fields simultaneously.


The Cluster bomb attack type may not be suitable for users of Burp Suite Community Edition - which lacks the full speed version of full speed version of Burp Intruder found in Burp Suite Professional.

What is a Cluster bomb attack?

The Cluster bomb attack type uses multiple payload sets, with a different payload set assigned to each defined position. It is useful for testing every possible permutation when an attack requires multiple different input values to be inserted in multiple places.

When using a Cluster bomb attack, the number of requests generated increases exponentially with the number of payloads defined. This means that this attack type is mainly used to iterate through relatively small data sets.

In this tutorial for example, a list of 101 usernames and 100 passwords generates a 10,100 request attack (101 * 100 = 10,100).

Brute-forcing a login using a Cluster bomb attack

While the following lab's original solution suggests using two separate Sniper attacks to solve the lab, in this example we will solve it by using a single Cluster Bomb attack. The Cluster Bomb attack's multiple payload sets enable you to test the username and password fields simultaneously.

Solving the lab using a Cluster Bomb attack is less efficient than using two Sniper attacks, as it results in more requests being sent. Unlike the Sniper method, however, the Cluster Bomb method does not rely on you being able to enumerate valid usernames.


Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.

Step 1: Open the lab

Open Burp's browser, and use it to access the following URL:

Click Access the lab and log in to your PortSwigger account if prompted.

Step 2: Intercept a login request

In the lab, click the My account link to open the login page.

Enter some sample data into the Username and Password fields to help you identify them later. Click the Log in button.

A Web Security Academy login form, filled out

In Burp Suite, go to the Proxy tab, and click the HTTP history sub tab. Now you can see a list of the HTTP requests made by Burp's browser since you opened Burp Suite.

Find a request made with the Method POST, for the URL /login and click it.

A login request, shown in Burp Suite Professional's HTTP history

Step 3: Forward your intercepted request to Intruder

Sending a request to Intruder

Right click on the request you just selected, and click Send to Intruder.

Click the Intruder tab. Note that the request has been sent to Burp Intruder and now has payload positions (demarcated by § symbols) inserted at three points.

Step 4: Configure payload positions

A request in Burp Intruder, with automatically configured insertion points

To solve the lab, we only require payload positions for the username and password. Click Clear § to clear all positions.

Select the input data in the username field, and click Add § to mark it as a payload position.

A username field, selected in Burp Intruder

Repeat this for the input data in the password field, so that both fields are marked.

Username and password fields, configured as insertion points in Burp Intruder

Step 5: Configure and launch a Cluster bomb attack

From the Choose an attack type drop down, select Cluster bomb.

Selecting the Cluster bomb attack type in Burp Intruder

Click the Payloads tab. Note that Payload set is set to 1 and Payload type is set to Simple list.

Under Payload options [simple list], paste the list of candidate usernames into the box.

Username payloads configured in Burp Intruder

Change the Payload set to 2.

Under Payload options [Simple list], paste the list of candidate passwords into the box. Note that Request count has increased to 10,100.

Password payloads configured in Burp Intruder

Click the Start attack button.


Payload set defines the position into which a payload set is inserted. For example, if you have defined two payload positions within the request template, then payload set 1 is inserted into the first, and payload set 2 into the second.

Burp Intruder attack results

Observe that Intruder creates requests combining each entry in payload set 1 with the first entry in payload set 2, before moving onto the next item in payload set 2 and repeating the process. It does this until it reaches the end of payload set 2.

Step 6: Analyze attack results to determine the correct username and password

Wait for your attack to finish running - this may take a few minutes, especially if you are using the throttled version of Burp Intruder that comes with Burp Suite Community Edition.

Click the header of the Status column to sort the list of responses by HTTP status code. Note that you may need to click this more than once.

Observe that where most requests have a 200 (OK) status code, one request has a code of 302 (Found). Make a note of the username and password used in this request - they are the correct login details to solve the lab. Note that this is unlikely to be the same combination shown in the screenshot below.

Burp Intruder attack results with an interesting request selected

In the Proxy tab, ensure that Intercept is off.

In Burp's browser, return to the lab's Login page, and input the username and password you previously noted for the request with the 302 status code. Click Log in. This will solve the lab.

A Web Security Academy login form with the correct username and password entered

Summary and next steps

Congratulations - now you know how to configure a Cluster bomb attack in Burp Intruder to brute-force a simple login form more easily.

In practice, web applications often have robust countermeasures in place to thwart brute-forcing attempts. If you want to learn how to bypass some of these, then check out the Authentication topic in the Web Security Academy.

Was this article helpful?