Understanding Burp Suite Intruder Attack Types

Burp Suite is one of the most popular intercepting proxies out there and it features an Intruder option which allows us to enumerate over parameters with payloads from wordlists. This Intruder option is very powerful, extensive and could be used in a lot of various combinations to produce some amazing results. In this article, we’re going to be looking at the different attack types Intruder features.

The Burp Suite’s Intruder option comes with 4 attack modes, viz.,

  • Sniper
  • Battering Ram
  • Pitchfork
  • Cluster Bomb

We’re going to take a closer look at them, for which we’re going to use the following request and wordlists.

The request

POST / HTTP/1.1
Host: 10.10.10.100:33664
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://10.10.10.100:33664/
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 13

password=test

You enter your own wordlists by clicking on load.

The request and the wordlists we are using might not be the best example of a real-world scenario where you’d use the Burp Intruder, but our goal is to understand the attack types and it serves that purpose well enough.

Sniper

Wordlists: Single

The sniper attack enumerates over each parameter, one at a time. So if you have multiple parameters, it will enumerate the first parameter with all the payloads from the wordlist supplied and then move on to the second and so on.

Format:

1st request - param1=wordlist[0]&param2=
2nd request - param1=wordlist[1]&param2=
...

After enumerating through param1 with all the payloads from wordlist,

1st request - param1=&param2=wordlist[0]
2nd request - param1=&param2=wordlist[1]
...

Battering Ram

Wordlists: Single

The battering ram attack enumerates over multiple parameters with the same payload for all the parameters.

Format:

1st req - param1=wordlist[0]&param2=wordlist[0]
2nd req - param1=wordlist[1]&param2=wordlist[1]
...

Pitchfork

Wordlists: Multiple

The pitchfork attack type enumerates over multiple parameters at the same time using different payloads for each parameter at the same time.

Format:

1st request - param1=wordlist1[0]&param2=wordlist2[0] 
2nd request - param1=wordlist1[1]&param2=wordlist2[1]
...

Cluster Bomb

Wordlists: Multiple

The cluster bomb attack type enumerates over multiple parameters by using all the possible combinations of payloads from the multiple wordlists.

So if you have multiple parameters, it will enumerate over one of the parameters with all the payloads from its respective wordlist, while the other parameters have the first payload from their respective wordlists loaded.

Format:

1st request - param1=wordlist1[0]&param2=wordlist2[0]
2nd request - param1=wordlist1[1]&param2=wordlist2[0]
3rd request - param1=wordlist1[2]&param2=wordlist2[0]
...

After enumerating through param1 with all the payloads from wordlist1,

1st request - param1=wordlist1[0]&param2=wordlist2[1]
2nd request - param1=wordlist1[1]&param2=wordlist2[1]
3rd request - param1=wordlist1[2]&param2=wordlist2[1]
...

 

Back to top button
Close