1. Support Center
  2. Documentation
  3. Desktop editions
  4. Tools
  5. Intruder
  6. Attacks

Running attacks

When you have configured all of the settings for your attack, you need to launch the attack, analyze the results, and sometimes modify the attack configuration, link in with your testing workflow, or carry out other actions.

Attack results

The Results tab contains the full details of every request issued in the attack. You can filter and annotate this information to help analyze it, and also use it to drive your testing workflow.

Results table

The results table shows details of all requests and responses that have been made in the attack. Depending on the attack configuration, the table may contain the following columns, some of which are hidden by default and can be unhidden using the Columns menu:

You can reorder the table's contents by clicking on any column header (clicking a header cycles through ascending sort, descending sort, and unsorted). For example, if you prefer the results table to grow "upwards", with the most recent items at the top of the table, then you can apply a descending sort to the request number column.

You can copy the contents of a column by Ctrl-clicking the header.

If you select an item in the table, the request and response for that item are shown in the request/response pane, provided you configured the attack to store requests and responses. If the attack is configured to follow redirections, all intermediate responses and requests are also displayed, alongside the initial request and final response. The request/response pane contains an HTTP message editor for each message, providing detailed analysis. You can also double-click an item in the table to show the request and response in a pop-up window.

Analyzing results

A key part of effectively interpreting the results of an attack is locating interesting or successful server responses, and identifying the requests that generated these. Interesting responses can usually be differentiated through at least one of the following:

For example, in a content discovery exercise, requests for existing resources might return a "200 OK" response of varying lengths, while requests for nonexistent resources might return a "404 Not found" response, or a "200 OK" response containing a fixed-length custom error page. Or in a password guessing attack, failed login attempts might generate a "200 OK" response containing the keywords "login failed", while a successful login might generate a "302 Object moved" response, or a "200 OK" response of a different length containing the word "welcome". The types of response features that are relevant will generally depend on the type of attack being performed.

You can use the following techniques to help analyze the attack results and identify interesting items:

Intruder attacks display filter

The results tab has a display filter that can be used to hide some of its content from view, to make it easier to analyze and work on the content you are interested in.

The filter bar above the results table describes the current display filter. Clicking the filter bar opens the filter options for editing. The filter can be configured based on the following attributes:

The content displayed within the results table is effectively a view into an underlying database, and the display filter controls what is included in that view. If you set a filter to hide some items, these are not deleted, only hidden, and will reappear if you unset the relevant filter. This means you can use the filter to help you systematically examine a large set of results (e.g. from fuzzing a request containing many parameters) to understand where different kinds of interesting responses appear.

Annotations

You can annotate attack results items by adding comments and highlights. This can be useful to flag up interesting responses for further investigation.

You can add highlights in two ways:

You can add comments in two ways:

When you have annotated interesting requests, you can use column sorting and the display filter to quickly find these items later.

Burp Intruder testing workflow

As well as displaying details of all requests and responses, the attack results let you to control and initiate specific attacks and carry out other actions, using the context menu. The following options are available:

Attack configuration tabs

As well as the Results tab, the attack window contains a clone of each of the configuration tabs from the main UI on which the current attack was based. This enables you to review and modify the attack configuration while the attack is underway.

For further details, see the help on each of the configuration tabs:

When modifying the configuration of a running attack, the following points should be noted:

Results menus

The results view contains several menus with commands for controlling the attack, and carrying out other actions. These are described below.

Attack menu

This contains commands to pause, resume, or repeat the attack.

Save menu

Columns menu

This lets you select which available columns are visible in the attack results table.