August 20, 2021
Burp Suite Tutorial Part 4: Getting Started With Burp Intruder
August 20, 2021
A brief overview of Burp Suite was given in the previous posts, including hotkeys to improve productivity, Burp Proxy, the request interceptor feature, and Burp Repeater. This post will focus on the core features of Burp Suite’s Intruder tool, which is very popular for brute-forcing and fuzzing web applications and APIs. Burp Intruder is useful in many auditing and pentesting scenarios. Thus, knowing how to use Intruder properly is an important skill to have.
As one can expect, Intruder is a fairly complicated tool with many different functionalities, so here only some functions and important tricks will be discussed from a beginner’s standpoint.
Intruder can be used to replace complex scripts which are required in certain test cases like password brute force and complex fuzzing. It’s very easy to configure and customize per attack scenario and can be automated, replacing the need to inject payloads into an application manually.
Intruder supports several attack types such as:
- Sniper- Used when one needs to inject the payloads in the request on one specific parameter at a time.
- Battering ram- Uses the provided payload on every parameter on each request.
- Pitchfork- As the name suggests, it will run the two different payloads (from two lists) in each parameter
- Cluster bomb is ideal for testing out Login brute force attacks by providing two lists of usernames and passwords. It injects each payload of one list with the other in parameter values.
This may seem confusing to someone who is beginning to use it, so let’s try to understand what these mean and how one can fine-tune the settings to configure Intruder properly for most testing scenarios.
The Target tab consists of 2 fields: Host, or the IP address, or domain name of the target web application, or API; and Port, a field for providing the port to connect to, which is usually 80 (for HTTP or non-ssl connections) and 443 (for https or SSL encrypted connections). For example, the Target shown above is pentest-target.com and uses an SSL encrypted connection (443 port).
Normally, when one sends a request from Burp Proxy or Burp Repeater, this data is carried over. There is usually no need to modify them because Burp Suite automatically populates these fields.
Upon finding an interesting HTTP request being intercepted in Proxy, or to move a request from Repeater to Intruder, use the hotkey Ctrl + I instead of clicking on the right-click menu. Then, to switch to the Intruder tab, use the shortcut Ctrl + Shift + I The second tab is Positions. It is used to mark the positions where the Intruder will insert the payload in the HTTP request. As shown below, click on the request part to insert the payload and click on Add § button. It’s important to understand the syntax here. “§” is called the payload marker (a parameter value, for example, is placed between 2 of them to denote a payload marker), which is placed on both sides of the part of the request to mark it, denoting that Burp will inject the payloads here.
The Auto § button can be used to make Burp automatically mark the payload positions to make the job a bit easier. To clear the unnecessary payload markets, select those areas and click on the Clear button to remove the payload markers from those areas.
The Payloads tab is the main area of interest in Intruder, as this is where one puts the payloads they want to test, like a list of SQLi payloads. This is the interesting part because one can use many variations of payloads and make Burp automatically inject them into the HTTP requests to the application. Copy a list of payloads, then click on the Paste button to use them in Intruder. After running the payloads (see the next step), analyze the responses to those requests. After selecting the payloads and configuring the Options, click on Start Attack to start the tests. Consider changing the number of threads as desired, based on restrictions. Or increase the threads to perform tests that depend on the high load on application (stress tests), set a request throttle to delay between requests, and/or set a variable throttle if needed to bypass any such restrictions.
What can one test for using Intruder?
Intruder a very handy tool for performing brute force attacks, i.e., to test if the application is vulnerable to Login Bruteforce (Cluster Bomb attack with username and password payloads), OTP brute force, or email enumeration; and also for fuzzing web applications for various types of vulnerabilities like Command Injection, SQLi, and LFI. Going in-depth on such attacks can be a topic for another blog.