Burp Suite Intruder Tool

The Intruder tool is Burp Suite's automated request manipulation engine. It allows you to perform customized attacks against web applications by sending multiple variations of requests and analyzing the responses.

Overview

Purpose and Functionality

Intruder serves as Burp Suite's primary automation tool for:

• Fuzzing parameters and inputs
• Brute-forcing credentials
• Enumerating identifiers and resources
• Testing for injection vulnerabilities
• Harvesting useful data from responses
• Performing custom, targeted attacks

It works by taking a base request, defining positions where payloads should be inserted, and then automatically sending multiple requests with different payload values.

Community vs. Professional Edition

The Intruder tool has significant differences between editions:

Community Edition:

• Severely rate-limited - approximately 1 request per second
• Only Sniper and Battering Ram attack types
• Basic payload options
• Limited results analysis

Professional Edition:

• No rate limiting - maximum speed
• All four attack types - including Cluster Bomb and Pitchfork
• Advanced payload types and processing
• Enhanced results analysis
• Resource pool management

Warning: The rate limitation in the Community Edition makes it impractical for many real-world testing scenarios that require processing numerous requests.

Attack Types

Sniper Attack

The Sniper attack targets each position one at a time:

• Uses a single payload set
• Places each payload in each position in turn
• Total requests = number of positions × number of payloads
• Available in both Community and Professional editions

Example:

• Base request with 3 positions
• Payload set with 10 values
• Total requests: 3 × 10 = 30

Best for:

• Testing individual parameters
• Finding vulnerabilities in specific inputs
• Initial fuzzing of multiple parameters

Battering Ram Attack

The Battering Ram attack uses the same payload in all positions simultaneously:

• Uses a single payload set
• Places the same payload in all positions at once
• Total requests = number of payloads
• Available in both Community and Professional editions

Example:

• Base request with 3 positions
• Payload set with 10 values
• Total requests: 10

Best for:

• Testing for vulnerabilities that span multiple parameters
• When the same value needs to be in multiple places
• Testing duplicate parameter submissions

Pitchfork Attack - Professional Only

The Pitchfork attack uses multiple payload sets in lockstep:

• Uses one payload set per position
• Iterates through all payload sets simultaneously
• Total requests = number of payloads in smallest set
• Only available in Professional Edition

Example:

• Base request with 2 positions
• Payload set 1: 10 usernames
• Payload set 2: 10 matching passwords
• Total requests: 10

Best for:

• Testing related pairs of values - username/password
• When payloads need to be coordinated across parameters
• Testing with lists of known valid combinations

Cluster Bomb Attack - Professional Only

The Cluster Bomb attack tries all combinations of payloads:

• Uses one payload set per position
• Tests every possible combination of payloads
• Total requests = product of all payload set sizes
• Only available in Professional Edition

Example:

• Base request with 2 positions
• Payload set 1: 10 usernames
• Payload set 2: 100 passwords
• Total requests: 10 × 100 = 1,000

Best for:

• Brute-force attacks
• Testing all possible combinations
• Comprehensive parameter testing

Warning: Cluster Bomb attacks can generate a very large number of requests. Calculate the total before starting to avoid unintentional denial of service.

Getting Started

Setting Up an Attack

Basic Attack Configuration

1. Select a base request

   • Intercept a request in Proxy
   • Right-click and select "Send to Intruder"
   • Or select from Proxy history or Site map

2. Configure positions

   • Go to the Positions tab
   • Clear all automatically selected positions if needed
   • Add positions manually by selecting text and clicking "Add §"
   • Positions are marked with § symbols

3. Select attack type

   • Choose from Sniper, Battering Ram, Pitchfork, or Cluster Bomb
   • Consider the number of positions and required payloads

4. Configure payloads

   • Go to the Payloads tab
   • Select or create payload sets
   • Add payload values
   • Configure payload processing rules if needed

5. Launch the attack

   • Click "Start attack"
   • A new window opens showing the attack progress

Payload Types

Simple List

The most basic payload type:

• Manually entered or pasted values
• One payload per line
• Can be loaded from a file
• Supports adding prefixes and suffixes

Common uses:

• Wordlists for brute-forcing
• Known values for enumeration
• Test strings for input validation

Example values:

• Usernames: admin, user, test, root
• Passwords: password123, admin123, qwerty
• Injection tests: ' OR 1=1 --, script-alert-script

Numbers

Generates numeric sequences:

• Define start and end values
• Set step size
• Format options - padding, etc.

Common uses:

• User ID enumeration
• Pagination testing
• Sequential resource access
• Numeric boundary testing

Example configuration:

• From: 1
• To: 100
• Step: 1
• Result: 1, 2, 3, ..., 100

Advanced Payload Types - Professional

The Professional Edition includes additional payload types:

Character substitution:

• Replace characters in base strings
• Test character encoding issues

Case modification:

• Generate variations with different case patterns
• Test case sensitivity

Recursive grep:

• Extract values from previous responses
• Use in subsequent requests

Custom iterators:

• Generate complex sequences
• Combine multiple payload sets

Username generator:

• Create username variations from names

Dates:

• Generate date sequences
• Test date-based functionality

These advanced types significantly enhance testing capabilities for specific scenarios.

Payload Processing

Payload Processing Rules

Modify payloads before they're sent:

1. Encoding

   • URL encode
   • HTML encode
   • Base64 encode
   • ASCII hex encode

2. String Transformations

   • Add prefix/suffix
   • Match/replace
   • Case modification
   • Trim

3. Custom Rules

   • Hash functions - MD5, SHA-1, etc.
   • Boundary transformations
   • Multiple rules can be chained

Processing rules allow you to adapt payloads for specific testing scenarios without modifying the original payload list.

Payload Options

Additional settings for payload handling:

• Payload Encoding: Control how special characters are encoded
• Payload Positions: Define which positions use which payload sets
• Match/Replace: Perform global replacements on payloads
• Grep Extract: Extract values from responses for use in subsequent requests
• Grep Payloads: Filter payloads based on response patterns

These options provide fine-grained control over how payloads are generated and processed during attacks.

Attack Configuration

Positions Tab

Defining Payload Positions

The Positions tab is where you define where payloads will be inserted:

1. Automatic position detection

   • Burp automatically identifies common parameters
   • Click "Clear §" to remove all positions
   • Click "Auto §" to automatically detect positions

2. Manual position selection

   • Select text in the request
   • Click "Add §" to mark as a position
   • Click "Remove §" to unmark a position

3. Position types

   • URL parameters
   • Body parameters
   • Cookies
   • Headers
   • Request path components
   • JSON values
   • XML values

4. Position refinement

   • Be precise about position boundaries
   • Consider encoding requirements
   • Think about how the application processes the input

Proper position selection is crucial for effective testing and avoiding application errors.

Advanced Position Techniques

Beyond basic parameter targeting:

1. Nested data structures

   • JSON objects and arrays
   • XML elements and attributes
   • Nested form parameters

2. Multiple positions in one parameter

   • Partial parameter replacement
   • Testing specific parts of complex values

3. Non-standard positions

   • URL path components
   • Fragment identifiers
   • WebSocket messages
   • Custom headers

4. Recursive insertion

   • Testing for second-order vulnerabilities
   • Payloads that contain payload markers

Advanced positioning allows for more precise and creative testing scenarios.

Payloads Tab

Configuring Payload Sets

The Payloads tab is where you define what values will be inserted:

1. Payload set selection

   • For Sniper and Battering Ram: only one set
   • For Pitchfork and Cluster Bomb: one set per position

2. Payload type selection

   • Simple list
   • Numbers
   • Custom/advanced types - Professional

3. Adding payload items

   • Manual entry
   • Paste from clipboard
   • Load from file
   • Generate from rules

4. Payload options

   • Case modification
   • Encoding options
   • Prefix/suffix settings

Effective payload selection is key to discovering vulnerabilities and avoiding false negatives.

Working with Wordlists

Wordlists are essential for many types of attacks:

1. Common wordlist sources

   • SecLists - https://github.com/danielmiessler/SecLists
   • Built-in Burp wordlists
   • Custom wordlists for specific applications

2. Wordlist types

   • Usernames and passwords
   • Directory and file names
   • Parameter names
   • Injection payloads
   • Fuzzing strings

3. Wordlist optimization

   • Remove irrelevant entries
   • Sort by likelihood
   • Deduplicate entries
   • Customize for the target application

4. Managing large wordlists

   • Split into smaller chunks
   • Use resource pools - Professional
   • Consider runtime and server impact

The right wordlist can significantly improve the effectiveness of your testing.

Options Tab

Request Options

Configure how requests are processed:

1. Request headers

   • Update Content-Length header
   • Set Connection: close
   • Follow redirections

2. Request engine

   • Number of threads - Professional
   • Throttling settings
   • Pause before requests

3. Grep options

   • Extract data from responses
   • Match patterns for classification
   • Define custom extraction rules

4. Redirections

   • Follow redirections automatically
   • Set maximum redirection depth

Proper request options ensure accurate testing and efficient resource usage.

Grep and Extract

Extract and analyze data from responses:

1. Grep - Match

   • Define strings to highlight in results
   • Quickly identify interesting responses
   • Flag potential vulnerabilities

2. Grep - Extract

   • Define patterns to extract data
   • Use regular expressions with capture groups
   • Extract tokens, IDs, or other values

3. Recursive grep (Professional)

   • Use extracted values as payloads
   • Chain attacks together
   • Follow application logic

4. Common use cases

   • Extract CSRF tokens
   • Harvest user information
   • Identify success/failure indicators
   • Extract hidden values for subsequent requests

Grep functionality transforms Intruder from a simple request generator into a powerful data harvesting tool.

Analyzing Results

Results Table

The results table displays all attack requests and responses:

1. Columns

   • Request number
   • Payload(s) used
   • Status code
   • Length
   • Response time
   • Custom extracted values
   • Grep matches

2. Sorting and filtering

   • Click column headers to sort
   • Filter by any column value
   • Hide uninteresting results

3. Color coding

   • Highlight interesting responses
   • Identify patterns and anomalies
   • Quickly spot potential vulnerabilities

4. Response inspection

   • View full requests and responses
   • Analyze headers, body, and rendering
   • Compare with other responses

Effective results analysis is crucial for identifying vulnerabilities and understanding application behavior.

Analysis Techniques

Strategies for identifying interesting results:

1. Length-based analysis

   • Look for responses with unusual lengths
   • Group responses by length
   • Identify patterns and outliers

2. Status code analysis

   • Group by status code
   • Look for unexpected codes (e.g., 200 instead of 403)
   • Identify error conditions

3. Time-based analysis

   • Look for unusually slow responses
   • May indicate successful time-based attacks
   • Identify performance issues

4. Content analysis

   • Search for specific strings
   • Look for error messages
   • Identify information disclosure

5. Comparison techniques

   • Compare similar requests with different outcomes
   • Identify what triggered different behavior
   • Understand application logic

Combining multiple analysis techniques provides the most comprehensive view of application behavior and vulnerabilities.

Common Attack Scenarios

Authentication Testing

Brute Force Attacks

Testing authentication mechanisms:

1. Username enumeration

   • Target login or registration forms
   • Look for different responses for valid vs. invalid usernames
   • Use Cluster Bomb with username and password lists

2. Password brute-forcing

   • Use Pitchfork for known username/password pairs
   • Use Cluster Bomb for trying all combinations
   • Look for successful login indicators

3. Multi-factor authentication

   • Test for bypasses
   • Brute-force verification codes
   • Look for implementation flaws

4. Rate limiting detection

   • Monitor for account lockouts
   • Look for CAPTCHA triggers
   • Test IP-based vs. account-based limits

Warning: Always ensure you have proper authorization before performing brute force attacks. Many jurisdictions consider unauthorized brute forcing illegal.

Injection Testing

SQL Injection

Testing for SQL injection vulnerabilities:

1. Detection payloads

   • ' OR 1=1 --
   • " OR 1=1 --
   • 1' OR '1'='1
   • 1 OR 1=1

2. Error-based detection

   • Look for database error messages
   • Different responses to malformed queries

3. Boolean-based testing

   • ' AND 1=1 -- vs. ' AND 1=2 --
   • Look for different responses

4. Time-based testing

   • ' WAITFOR DELAY '0:0:5' --
   • ' SLEEP(5) --
   • Monitor response times

5. Analysis techniques

   • Group by response length
   • Look for error messages
   • Compare response times

SQL injection testing with Intruder allows for systematic testing of multiple parameters and payloads.

Cross-Site Scripting (XSS)

Testing for XSS vulnerabilities:

1. Detection payloads

   • <script>alert(1)</script>
   • "><script>alert(1)</script>
   • '><script>alert(1)</script>
   • javascript:alert(1)

2. Context-specific payloads

   • HTML attribute context: " onmouseover="alert(1)
   • JavaScript context: ';alert(1);//
   • CSS context: </style><script>alert(1)</script>

3. Evasion techniques

   • Case variation: <ScRiPt>alert(1)</sCrIpT>
   • Encoding: %3Cscript%3Ealert(1)%3C/script%3E
   • Alternative syntax: <img src="x" onerror="alert(1)">

4. Analysis techniques

   • Look for unfiltered payloads in responses
   • Check for partial filtering
   • Test browser rendering of responses

XSS testing requires careful analysis of how the application processes and outputs user input in different contexts.

Enumeration and Discovery

Directory and Resource Enumeration

Discovering hidden resources:

1. Directory enumeration

   • Target URL path
   • Use wordlists of common directory names
   • Look for 200, 301, 302 responses

2. File enumeration

   • Target URL path + filename
   • Use extensions relevant to the application (.php, .aspx, etc.)
   • Look for different response sizes and status codes

3. API endpoint discovery

   • Enumerate API paths
   • Test different HTTP methods
   • Look for JSON/XML responses

4. Analysis techniques

   • Filter out 404 responses
   • Group by response length
   • Look for interesting content in responses

Resource enumeration can reveal hidden functionality, backup files, or development resources that may contain vulnerabilities.

Parameter Discovery and Fuzzing

Discovering hidden parameters:

1. Parameter name fuzzing

   • Add parameters to requests
   • Use wordlists of common parameter names
   • Look for changes in response

2. Parameter value fuzzing

   • Test different values for known parameters
   • Look for interesting behavior
   • Identify validation patterns

3. HTTP method fuzzing

   • Test different HTTP methods (GET, POST, PUT, DELETE)
   • Look for supported but undocumented methods

4. Analysis techniques

   • Group by response length
   • Look for error messages
   • Identify changes in application behavior

Parameter discovery can reveal hidden functionality or parameters that may not be properly validated.

Advanced Techniques

Resource Pool Management (Professional)

Optimize attack performance and resource usage:

1. Creating resource pools

   • Go to Project options → Misc → Resource pools
   • Create pools with different settings

2. Pool settings

   • Maximum concurrent requests
   • Throttling (requests per second)
   • Scope (hosts and URLs)

3. Assigning pools to attacks

   • Select pool in Intruder options
   • Different attacks can use different pools

4. Use cases

   • Aggressive testing for robust applications
   • Gentle testing for sensitive applications
   • Balancing multiple simultaneous attacks

Resource pools help prevent accidental denial of service while maximizing testing efficiency.

Session Handling with Macros (Professional)

Maintain authentication during attacks:

1. Creating session handling rules

   • Go to Project options → Sessions
   • Create rules that apply to Intruder

2. Recording macros

   • Record login sequences
   • Extract session tokens
   • Configure token reuse

3. Rule application

   • Apply before requests are sent
   • Maintain valid session state
   • Handle anti-CSRF tokens

4. Use cases

   • Testing authenticated functionality
   • Handling complex session mechanisms
   • Bypassing anti-automation controls

Session handling rules allow Intruder to test protected functionality that requires authentication.

Intruder Extensions (Professional)

Extend Intruder functionality with extensions:

1. Turbo Intruder

   • High-performance custom attacks
   • Python-based attack scripting
   • Advanced payload generation

2. Custom payload generators

   • Create specialized payload types
   • Implement complex generation logic
   • Integrate with external tools

3. Results processors

   • Custom analysis of responses
   • Automated vulnerability detection
   • Integration with reporting tools

4. Popular extensions

   • Turbo Intruder
   • Intruder Payload Generator
   • Custom Parameter Handler
   • JWT Editor

Extensions can significantly enhance Intruder's capabilities for specialized testing scenarios.

Best Practices

Optimizing Attack Efficiency

Maximize effectiveness while minimizing resource usage:

1. Target selection

   • Focus on high-value parameters
   • Test one functionality at a time
   • Prioritize sensitive operations

2. Payload optimization

   • Use focused, relevant payloads
   • Start with smaller payload sets
   • Expand based on initial results

3. Attack configuration

   • Use appropriate attack type
   • Configure proper thread count
   • Set reasonable timeouts

4. Response handling

   • Define clear success/failure criteria
   • Use grep extract for important data
   • Filter uninteresting results

Efficient attacks save time, reduce server load, and produce more manageable results.

Ethical Considerations

Responsible use of Intruder:

1. Authorization

   • Only test applications you own or have permission to test
   • Respect scope limitations
   • Adhere to responsible disclosure policies

2. Impact awareness

   • Consider server load and performance
   • Be cautious with sensitive functionality
   • Avoid disrupting production systems

3. Data handling

   • Respect privacy of discovered data
   • Secure and properly dispose of findings
   • Report sensitive data exposure responsibly

4. Legal compliance

   • Understand relevant laws and regulations
   • Document authorization
   • Stay within agreed boundaries

Warning: Unauthorized use of Intruder may violate computer crime laws and could result in civil or criminal penalties.

Troubleshooting

Common Issues and Solutions

Solutions to frequently encountered problems:

1. Attack not starting

   • Check payload configuration
   • Verify positions are correctly set
   • Ensure sufficient system resources

2. Slow performance

   • Reduce concurrent threads
   • Use smaller payload sets
   • Check for network latency
   • Consider upgrading to Professional Edition

3. Application errors

   • Verify payload encoding is appropriate
   • Check for application-specific formatting
   • Consider session handling requirements

4. False negatives

   • Try different payload variations
   • Check for defensive mechanisms
   • Verify response analysis criteria

5. Memory issues

   • Reduce payload set size
   • Split large attacks into smaller ones
   • Increase JVM memory allocation

Warning: Always use Burp Suite Intruder ethically and legally. Only test applications you own or have explicit permission to test. Unauthorized testing may violate laws and regulations.

Next Steps

• Repeater Tool Documentation
• Scanner Tool Documentation
• Advanced Intruder Techniques
• Best Practices for Web Application Security Testing