Using Burp Intruder
Burp Intruder is a tool for automating customized attacks against web applications.
It is extremely powerful and configurable, and can be used to perform a huge
range of tasks, from simple brute-force guessing of web directories through
to active exploitation of complex blind SQL injection vulnerabilities.
How Intruder Works
Burp Intruder works by taking an HTTP request (called the "base request"),
modifying the request in various systematic ways, issuing each modified
version of the request, and analyzing the application's responses to
identify interesting features.
For each attack, you must specify one or more sets of
payloads, and the
positions in the base request where
the payloads are to be placed. Numerous methods of generating payloads are
available (including simple lists of strings, numbers, dates, brute force,
bit flipping, and many others). Payloads can be placed into payload
positions using different
algorithms. Various tools are available to help analyze the results and
identify interesting items for further investigation.
Typical Uses
Burp Intruder is a very flexible tool and can help automate all kinds of
tasks when testing web applications. The most common use cases for Intruder fall
into the following categories:
For a further discussion of the kinds of attacks that can be performed
using Burp Intruder, see The Web Application Hacker's
Handbook (chapter 13 in the first
edition, and chapter 14 in the
second edition).
Enumerating Identifiers
Web applications frequently use identifiers to refer to items of data and
resources; for example, usernames, document IDs, and account numbers. Often,
you will need to cycle through a large number of potential identifiers to
enumerate which ones are valid or worthy of further investigation. To do
this in Burp Intruder, you need to perform the following steps:
- Find an application request that contains the identifier in a
parameter, and where the response indicates whether the identifier is
valid.
- Configure a single payload
position at the parameter's value.
- Use a suitable payload type to
generate potential identifiers to test, using the correct format or
scheme.
- Identify a feature of the response from which valid identifiers can
be reliably inferred, and configure Burp accordingly. For example, if a
valid identifier returns a different HTTP status code or response
length, you can sort the
attack results on this attribute. Or if a valid identifier returns a
response containing a specific expression, you can define a
match grep item to pick
out responses that match this expression.
Some examples of real-world attacks of this type are as follows:
- If the application's login failure messages let you enumerate valid
usernames, use the
username
generator payload type to cycle through a long list of possible
usernames and identify valid ones.
- Having identified a list of valid usernames, you can use the
simple list
payload type with a set of common passwords to attempt to guess user's
passwords.
- If an application function lets you view details of any order, by
submitting a valid order ID, you can use the
custom iterator
payload type to generate potential order IDs in the correct format, and
trawl for other users' orders.
- If an application uses meaningful structured session tokens that are
encrypted using a CBC cipher, you can use the
bit flipper
payload type to systematically modify a valid token to try to
meaningfully tamper with its decrypted value.
Harvesting Useful Data
In many situations, rather than simply identifying valid identifiers, you
need to extract some interesting data about each item, to help you focus
your efforts on the most critical items, or to feed in to other attacks. To
do this in Burp Intruder, you need to perform the following steps:
- Find an application request that contains an identifier in a
parameter, and where the response contains the interesting data about
the requested item.
- Configure a single payload
position at the parameter's value.
- Use a suitable payload type to
generate potential identifiers to test, using the correct format or
scheme.
- Configure an extract
grep item to retrieve the relevant data from each response, and list
this in the attack results.
Some examples of real-world attacks of this type are as follows:
- If the application has a "Forgotten password" feature that takes a
username as a parameter and displays a password hint that was set by
that user, you can cycle through a
simple list of
common usernames, and extract the password hint for each valid user. You
can then quickly scan the listing of retrieved hints to locate ones that
are easily guessed.
- If the application returns some content dynamically, via a single
URL that contains a numeric page ID parameter, you can use the
numbers payload type
to cycle through all possible identifiers and retrieve the HTML title
tag for each page. You can then quickly review the list of available
pages to identify any that are particularly interesting or which you
should not be allowed to access.
- If application has a "User profile" page containing information
about each user, including their role in the application, you can cycle
through an already extracted list of usernames, and retrieve the role
for each user, allowing you to quickly identify administrative accounts
for further targeted attacks.
Fuzzing For Vulnerabilities
Many input-based vulnerabilities, such SQL injection, cross-site
scripting, and file path traversal can be detected by submitting various
test strings in request parameters, and analyzing the application's
responses for error messages and other anomalies. Given the size and
complexity of today's applications, performing this testing manually is a
time consuming and tedious process.
You can automate web application fuzzing with Burp Intruder, using the
following steps:
- Configure payload positions at the values of all request parameters.
- Use the simple
list payload type.
- Configure the payload list using one of Burp's
predefined
payload lists containing common fuzz strings, or your own list of
attack strings.
- Configure match grep
items with various common error message strings. The default options in
the match grep UI include a list of useful strings for this purpose.
- After launching the attack, review the
attack results to identify
interesting errors and other anomalies. You should sort the results
table on each of the match grep columns, and also on other relevant
columns such as response length, HTTP status code, response timers, etc.
Note: When fuzzing, you will typically want to test a
large number of requests using the same Intruder payloads and match grep
configuration. To facilitate this, you can use the Intruder menu to
configure the "New tab behavior" option to "Copy configuration from last
tab". Then, when you have configured your payloads and grep strings for one
request, subsequent requests that you send to Intruder will pick up the same
configuration options within their tab. To fuzz multiple requests, you then
simply need to send each one to Intruder, and choose "Start attack" from the
Intruder menu.
Configuring an Attack
The main Intruder UI lets you configure multiple attacks simultaneously,
each in its own tab. When you send requests to Intruder, each one is opened
in its own numbered tab. Each attack configuration tab contains several
sub-tabs that are used to configure the attack. Use the links below for help
on the details of each tab:
- Target - This is
used to configure the details of the target server for the attack.
- Positions -
This is used to configure the request template
for the attack, together with payload positions, and the
attack type (this determines the way in which payloads are assigned to payload
positions).
- Payloads -
This is used to configure one or more sets of payloads, which will be
placed into payload positions during the attack.
- Options - This
is used to configure numerous other options affecting the attack.
The easiest
way to create a new Intruder attack is to select the relevant base request within another
Burp tool (such as the Proxy history or Target
site map), and use the "Send to Intruder"
option on the context menu. This will create a new attack tab, and automatically populate the
Target and
Positions tabs with
the relevant details about the base request. You can then modify the automatic
payload positions if required, and configure suitable
payloads and other attack
options.
Burp Intruder has a number of functions to help you manage attack
configurations. These functions are available via the Intruder menu:
- You can save the attack configuration for the current tab, and
reload it later. When loading or saving, you can
optionally include or exclude the payload positions settings. Including
the payload positions settings lets you save the full configuration for
a specific attack. Excluding the payload positions settings lets you
save a generic attack configuration that can be reused for another base
request template and payload positions - for example, your preferred
configuration for fuzzing a particular type of request.
- You can copy attack configurations between two existing tabs, or
into a new tab. Again, you can optionally include or exclude the payload
positions settings.
- You can control how Intruder handles attack configurations when you
open a new attack tab (by clicking on the right-most "..." tab, or
sending a new request to Intruder). You can optionally use the default
attack configuration, copy the configuration from the first open tab, or
copy the configuration from the last open tab. Using the latter options
lets you create a generic attack configuration (e.g. for fuzzing), and
automatically apply this to each new request that you send to Intruder.
The attack tabs themselves are easy to manage. You can:
- Rename tabs by double-clicking the tab header.
- Reorder tabs by dragging them.
- Open a new tab by clicking on the right-most "..." tab.
- Close tabs by clicking the X button in the tab header.
Launching an Attack
When your attack is fully configured, you can
launch the attack by selecting "Start attack" from the Intruder menu.
Each attack runs in a new window, containing detailed
results, with full requests and
responses (if configured). There
are various functions to help you
analyze the results, and
identify interesting items for further investigation. You can:
- Sort the results columns to order the items according to different
attributes (HTTP status code, response length, etc.).
- Unhide additional results
columns that
are hidden by default.
- Define new match grep
and extract grep items
when the attack is already underway, to perform further analysis based
on the observed results.
- Set a display filter
and annotate
results.
- Save the contents
of the results table.
- Use the context
menu to carry out other actions and integrate with your
testing
workflow.
- [Pro version] Save
the entire attack. To later reload a saved attack, select "Open saved
attack" on the Intruder menu.