Common Uses for Burp Intruder

Burp Intruder is a very powerful tool and can help automate all kinds of tasks when testing web applications. The most common use cases for Intruder fall into the following categories:

  • Enumerating identifiers
  • Harvesting useful data
  • Fuzzing for vulnerabilties

Enumerating Identifiers

Web applications frequently use identifiers to refer to items of data and resources; for example, usernames, document IDs, and account numbers. Often, you will need to cycle through a large number of potential identifiers to enumerate which ones are valid or worthy of further investigation. Burp helps you to automate this process.

Intruder_GettingStartedWithBurpIntruder_1

Find a request that contains the identifier in a parameter, and where the response indicates whether the identifier is valid.

Configure a single payload position at the parameter's value.

 
 
Intruder_GettingStartedWithBurpIntruder_2

Use a suitable payload type to generate potential identifiers to test, using the correct format or scheme.

 
Intruder_GettingStartedWithBurpIntruder_3

Identify a feature of the response from which valid identifiers can be reliably inferred, and configure Burp accordingly.

For example, if a valid identifier returns a different HTTP status code or response length, you can sort the attack results on this attribute. Or if a valid identifier returns a response containing a specific expression, you can define a match grep item to pick out responses that match this expression.

 
Intruder_GettingStartedWithBurpIntruder_4

If the application's login failure messages let you enumerate valid usernames, use the username generator payload type to cycle through a long list of possible usernames and identify valid ones.

Having identified a list of valid usernames, you can use the simple list payload type with a set of common passwords to attempt to guess users' passwords.

 
Intruder_GettingStartedWithBurpIntruder_5

If an order processing application function lets you view details of any order by submitting a valid order ID, you can use the custom iterator payload type to generate potential order IDs in the correct format, and trawl for other users' orders.

This payload type lets you configure multiple lists of items, and generate payloads using all permutations of items in the lists. It provides a powerful way to generate custom permutations of characters or other items according to a given template. For example, a payroll application may identify individuals using a personnel number of the form AB/12; you may need to iterate through all possible personnel numbers to obtain the details of all individuals.

 
Intruder_GettingStartedWithBurpIntruder_6

If an application uses meaningful structured session tokens that are encrypted using a CBC cipher, you can use the bit flipper payload type to systematically modify a valid token to try to meaningfully tamper with its decrypted value.

This payload type operates on an input and modifies the value of each bit position in turn. It can operate on the existing base value of each payload position, or on a specified string. It cycles through the base string one character at a time, flipping each (specified) bit in turn.

 

Harvesting Useful Data

Intruder_GettingStartedWithBurpIntruder_7

In many situations, rather than simply identifying valid identifiers, you need to extract some interesting data about each item, to help you focus your efforts on the most critical items, or to feed the data into other attacks.

Find a request that contains an identifier in a parameter, and where the response contains the interesting data about the requested item.

Configure a single payload position at the parameter's value.

 
Intruder_GettingStartedWithBurpIntruder_8

Use a suitable payload type to generate potential identifiers to test, using the correct format or scheme.

 
Intruder_GettingStartedWithBurpIntruder_9

Configure an extract grep item to retrieve the relevant data from each response, and list this in the attack results.

 
Intruder_GettingStartedWithBurpIntruder_10

If the application has a "Forgotten password" feature that takes a username as a parameter and displays a password hint that was set by that user, you can cycle through a simple list of common usernames, and extract the password hint for each valid user.

You can then quickly scan the listing of retrieved hints to locate ones that are easily guessed.

 
Intruder_GettingStartedWithBurpIntruder_11

If the application returns some content dynamically, via a single URL that contains a numeric page ID parameter, you can use the numbers payload type to cycle through all possible identifiers and retrieve the HTML title tag for each page.

 
Intruder_GettingStartedWithBurpIntruder_12

If the application has a "User profile" page containing information about each user, including their role in the application, you can cycle through an already extracted list of usernames, and retrieve the role for each user, allowing you to quickly identify administrative accounts for further targeted attacks.

 

Fuzzing for Vulnerabilitites

Intruder_GettingStartedWithBurpIntruder_13

Many input-based vulnerabilities, such SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters, and analyzing the application's responses for error messages and other anomalies. Given the size and complexity of today's applications, performing this testing manually is a time consuming and tedious process.

Burp allows you to configure payload positions at the values of all request parameters.

 
Intruder_GettingStartedWithBurpIntruder_14

Use the simple list payload type.

Configure the payload list using one of Burp's predefined payload lists containing common fuzz strings, or your own list of attack strings.

 
Intruder_GettingStartedWithBurpIntruder_15

Configure match grep items with various common error message strings. The default options in the match grep UI include a list of useful strings for this purpose.

 
Intruder_GettingStartedWithBurpIntruder_16

After launching the attack, review the attack results to identify interesting errors and other anomalies.

You should sort the results table on each of the match grep columns, and also on other relevant columns such as response length, HTTP status code, response timers, etc.