Brute-forcing a login mechanism using Burp Intruder

  • Last updated: March 24, 2023

  • Read time: 4 Minutes

Burp Intruder supports various attack types. Often, a task is achievable with more than one type of attack. However, if you choose the right type, it can save you a great deal of effort when you carry out manual security testing.

This tutorial shows you how to use a Cluster bomb attack type to brute-force username and password fields simultaneously.


The Cluster bomb attack type may not be suitable for users of Burp Suite Community Edition - which lacks the full speed version of Burp Intruder found in Burp Suite Professional.

What is a Cluster bomb attack?

The Cluster bomb attack type assigns a different payload set to each defined payload position. It places payloads from each set in turn. It is useful for testing every possible permutation when an attack requires multiple different input values to be inserted in multiple places.

When you use a Cluster bomb attack, the number of requests generated increases exponentially with the number of payloads defined. This means that this attack type is mainly used to iterate through relatively small data sets.

In this tutorial for example, a list of 101 usernames and 100 passwords generates a 10,100 request attack (101 * 100 = 10,100).

Brute-forcing a login using a Cluster bomb attack

While the following lab's original solution suggests you use two separate Sniper attacks to solve the lab, in this example we will solve it with a single Cluster Bomb attack. The Cluster Bomb attack's multiple payload sets enable you to test the username and password fields simultaneously.

A Cluster Bomb attack is less efficient than two Sniper attacks, as it results in more requests being sent. Unlike the Sniper method, however, the Cluster Bomb method does not require you to enumerate valid usernames.


Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.

Step 1: Open the lab

Open Burp's browser, and use it to access the following URL:

Click Access the lab and log in to your PortSwigger account if prompted.

Step 2: Intercept a login request

In the lab, click the My account link to open the login page.

Enter some sample data into the Username and Password fields to help you identify them later. Click the Log in button.

A Web Security Academy login form, filled out

In Burp Suite, go to the Proxy tab, and click the HTTP history sub tab. Now you can see a list of the HTTP requests made by Burp's browser since you opened Burp Suite.

Find a request made with the Method POST, for the URL /login and click it.

A login request, shown in Burp Suite Professional's HTTP history

Step 3: Forward your intercepted request to Intruder

Sending a request to Intruder

Right click on the request you just selected, and click Send to Intruder.

Click the Intruder tab. Note that the request has been sent to Burp Intruder and now has payload positions (demarcated by § symbols) inserted at three points.

Step 4: Configure payload positions

A request in Burp Intruder, with automatically configured insertion points

To solve the lab, we only require payload positions for the username and password. Click Clear § to clear all positions.

Select the input data in the username field, and click Add § to mark it as a payload position.

A username field, selected in Burp Intruder

Repeat this for the input data in the password field, so that both fields are marked.

Username and password fields, configured as insertion points in Burp Intruder

Step 5: Configure and launch a Cluster bomb attack

From the Choose an attack type drop down, select Cluster bomb.

Selecting the Cluster bomb attack type in Burp Intruder

Click the Payloads tab. Note that Payload set is set to 1 and Payload type is set to Simple list.

Under Payload settings [simple list], paste the list of candidate usernames into the box.

Username payloads configured in Burp Intruder

Change the Payload set to 2.

Under Payload settings [Simple list], paste the list of candidate passwords into the box. Note that Request count has increased to 10,100.

Password payloads configured in Burp Intruder

Click Start attack.


Payload set defines the position into which a payload set is inserted. For example, if you have defined two payload positions within the request template, then payload set 1 is inserted into the first, and payload set 2 into the second.

Burp Intruder attack results

Observe that Intruder creates requests combining each entry in payload set 1 with the first entry in payload set 2, before moving onto the next item in payload set 2 and repeating the process. It does this until it reaches the end of payload set 2.

Step 6: Analyze attack results to determine the correct username and password

Wait for your attack to finish running - this may take a few minutes, especially if you are using the throttled version of Burp Intruder that comes with Burp Suite Community Edition.

Click the header of the Status column to sort the list of responses by HTTP status code. Note that you may need to click this more than once.

Observe that where most requests have a 200 (OK) status code, one request has a code of 302 (Found). Make a note of the username and password used in this request - they are the correct login details to solve the lab. Note that this is unlikely to be the same combination shown in the screenshot below.

Burp Intruder attack results with an interesting request selected

In the Proxy tab, ensure that Intercept is off.

In Burp's browser, return to the lab's Login page, and input the username and password you previously noted for the request with the 302 status code. Click Log in. This will solve the lab.

A Web Security Academy login form with the correct username and password entered

Summary and next steps

Congratulations - now you know how to configure a Cluster bomb attack in Burp Intruder to brute-force a simple login form more easily.

In practice, web applications often have robust countermeasures in place to thwart brute-forcing attempts. If you want to learn how to bypass some of these, then check out the Authentication topic in the Web Security Academy.

Was this article helpful?