Burp Suite is one of the most popular intercepting proxies out there and it features an Intruder option which allows us to enumerate over parameters with payloads from wordlists. This Intruder option is very powerful, extensive and could be used in a lot of various combinations to produce some amazing results. In this article, we’re going to be looking at the different attack types Intruder features.
The Burp Suite’s Intruder option comes with 4 attack modes, viz.,
- Battering Ram
- Cluster Bomb
We’re going to take a closer look at them, for which we’re going to use the following request and wordlists.
POST / HTTP/1.1 Host: 10.10.10.100:33664 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://10.10.10.100:33664/ Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 13 password=test
You enter your own wordlists by clicking on load.
The request and the wordlists we are using might not be the best example of a real-world scenario where you’d use the Burp Intruder, but our goal is to understand the attack types and it serves that purpose well enough.
The sniper attack enumerates over each parameter, one at a time. So if you have multiple parameters, it will enumerate the first parameter with all the payloads from the wordlist supplied and then move on to the second and so on.
1st request - param1=wordlist¶m2= 2nd request - param1=wordlist¶m2= ... After enumerating through param1 with all the payloads from wordlist, 1st request - param1=¶m2=wordlist 2nd request - param1=¶m2=wordlist ...
The battering ram attack enumerates over multiple parameters with the same payload for all the parameters.
1st req - param1=wordlist¶m2=wordlist 2nd req - param1=wordlist¶m2=wordlist ...
The pitchfork attack type enumerates over multiple parameters at the same time using different payloads for each parameter at the same time.
1st request - param1=wordlist1¶m2=wordlist2 2nd request - param1=wordlist1¶m2=wordlist2 ...
The cluster bomb attack type enumerates over multiple parameters by using all the possible combinations of payloads from the multiple wordlists.
So if you have multiple parameters, it will enumerate over one of the parameters with all the payloads from its respective wordlist, while the other parameters have the first payload from their respective wordlists loaded.
1st request - param1=wordlist1¶m2=wordlist2 2nd request - param1=wordlist1¶m2=wordlist2 3rd request - param1=wordlist1¶m2=wordlist2 ... After enumerating through param1 with all the payloads from wordlist1, 1st request - param1=wordlist1¶m2=wordlist2 2nd request - param1=wordlist1¶m2=wordlist2 3rd request - param1=wordlist1¶m2=wordlist2 ...