Intruder

• Intruder is Burp Suite's in-built fuzzing tool

• There are four Intruder sub-tabs:

  • Positions lets us select an Attack Type, as well as configure where in the request template we want to insert our payloads

  • Payloads

    • Let us select values to insert into each of the positions we define in the positions tab

    • We can define pre-processing rules to apply to each payload

  • Resource Pool

    • Lets us divide our resources between tasks

Attack Types

• Sniper

  • We provide one set of payloads

  • Intruder will take each payload in a payload set and put it into each defined position in turn

  • Very good for single-position attacks (password brute force if we know the username or fuzzing for API endpoints)

• Battering Ram

  • Takes one set of payloads and puts the same payload in every position rather than in each position in turn

• Pitchfork

  • Think of pitchfork as being like having numerous Snipers running at the same time

  • Pitchfork uses one payload set per position (up to a maximum of 20) and iterates through them all at once

• Cluster Bomb

  • Lets us choose multiple payload sets: one per position, up to a maximum of 20

  • Iterates through each payload set individually, making sure that every possible combination of payloads is tested