Intruder

  • Intruder is Burp Suite's in-built fuzzing tool

  • There are four Intruder sub-tabs:

    • Positions lets us select an Attack Type, as well as configure where in the request template we want to insert our payloads

    • Payloads

      • Let us select values to insert into each of the positions we define in the positions tab

      • We can define pre-processing rules to apply to each payload

    • Resource Pool

      • Lets us divide our resources between tasks

Attack Types

  • Sniper

    • We provide one set of payloads

    • Intruder will take each payload in a payload set and put it into each defined position in turn

    • Very good for single-position attacks (password brute force if we know the username or fuzzing for API endpoints)

  • Battering Ram

    • Takes one set of payloads and puts the same payload in every position rather than in each position in turn

  • Pitchfork

    • Think of pitchfork as being like having numerous Snipers running at the same time

    • Pitchfork uses one payload set per position (up to a maximum of 20) and iterates through them all at once

  • Cluster Bomb

    • Lets us choose multiple payload sets: one per position, up to a maximum of 20

    • Iterates through each payload set individually, making sure that every possible combination of payloads is tested

PreviousBurp SuiteNextHping

Last updated