Using Burp Intruder

Burp Intruder is a tool for automating customized attacks against web applications. It is extremely powerful and configurable, and can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities.

How Intruder works

Burp Intruder works by taking an HTTP request (called the "base request"), modifying the request in various systematic ways, issuing each modified version of the request, and analyzing the application's responses to identify interesting features.

For each attack, you must specify one or more sets of payloads, and the positions in the base request where the payloads are to be placed. Numerous methods of generating payloads are available (including simple lists of strings, numbers, dates, brute force, bit flipping, and many others). Payloads can be placed into payload positions using different algorithms. Various tools are available to help analyze the results and identify interesting items for further investigation.

Typical uses

Burp Intruder is a very flexible tool and can help automate all kinds of tasks when testing web applications. The most common use cases for Intruder fall into the following categories:

• Enumerating identifiers
• Harvesting useful data
• Fuzzing for vulnerabilities

For a further discussion of the kinds of attacks that can be performed using Burp Intruder, see The Web Application Hacker's Handbook (chapter 13 in the first edition, and chapter 14 in the second edition).

Enumerating identifiers

Web applications frequently use identifiers to refer to items of data and resources; for example, usernames, document IDs, and account numbers. Often, you will need to cycle through a large number of potential identifiers to enumerate which ones are valid or worthy of further investigation. To do this in Burp Intruder, you need to perform the following steps:

• Find an application request that contains the identifier in a parameter, and where the response indicates whether the identifier is valid.
• Configure a single payload position at the parameter's value.
• Use a suitable payload type to generate potential identifiers to test, using the correct format or scheme.
• Identify a feature of the response from which valid identifiers can be reliably inferred, and configure Burp accordingly. For example, if a valid identifier returns a different HTTP status code or response length, you can sort the attack results on this attribute. Or if a valid identifier returns a response containing a specific expression, you can define a match grep item to pick out responses that match this expression.

Some examples of real-world attacks of this type are as follows:

• If the application's login failure messages let you enumerate valid usernames, use the username generator payload type to cycle through a long list of possible usernames and identify valid ones.
• Having identified a list of valid usernames, you can use the simple list payload type with a set of common passwords to attempt to guess user's passwords.
• If an application function lets you view details of any order, by submitting a valid order ID, you can use the custom iterator payload type to generate potential order IDs in the correct format, and trawl for other users' orders.
• If an application uses meaningful structured session tokens that are encrypted using a CBC cipher, you can use the bit flipper payload type to systematically modify a valid token to try to meaningfully tamper with its decrypted value.

Harvesting useful data

In many situations, rather than simply identifying valid identifiers, you need to extract some interesting data about each item, to help you focus your efforts on the most critical items, or to feed in to other attacks. To do this in Burp Intruder, you need to perform the following steps:

• Find an application request that contains an identifier in a parameter, and where the response contains the interesting data about the requested item.
• Configure a single payload position at the parameter's value.
• Use a suitable payload type to generate potential identifiers to test, using the correct format or scheme.
• Configure an extract grep item to retrieve the relevant data from each response, and list this in the attack results.

Some examples of real-world attacks of this type are as follows:

• If the application has a "Forgotten password" feature that takes a username as a parameter and displays a password hint that was set by that user, you can cycle through a simple list of common usernames, and extract the password hint for each valid user. You can then quickly scan the listing of retrieved hints to locate ones that are easily guessed.
• If the application returns some content dynamically, via a single URL that contains a numeric page ID parameter, you can use the numbers payload type to cycle through all possible identifiers and retrieve the HTML title tag for each page. You can then quickly review the list of available pages to identify any that are particularly interesting or which you should not be allowed to access.
• If application has a "User profile" page containing information about each user, including their role in the application, you can cycle through an already extracted list of usernames, and retrieve the role for each user, allowing you to quickly identify administrative accounts for further targeted attacks.

Fuzzing for vulnerabilities

Many input-based vulnerabilities, such SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters, and analyzing the application's responses for error messages and other anomalies. Given the size and complexity of today's applications, performing this testing manually is a time consuming and tedious process.

You can automate web application fuzzing with Burp Intruder, using the following steps:

• Configure payload positions at the values of all request parameters.
• Use the simple list payload type.
• Configure the payload list using one of Burp's predefined payload lists containing common fuzz strings, or your own list of attack strings.
• Configure match grep items with various common error message strings. The default options in the match grep UI include a list of useful strings for this purpose.
• After launching the attack, review the attack results to identify interesting errors and other anomalies. You should sort the results table on each of the match grep columns, and also on other relevant columns such as response length, HTTP status code, response timers, etc.

Note: When fuzzing, you will typically want to test a large number of requests using the same Intruder payloads and match grep configuration. To facilitate this, you can use the Intruder menu to configure the "New tab behavior" option to "Copy configuration from last tab". Then, when you have configured your payloads and grep strings for one request, subsequent requests that you send to Intruder will pick up the same configuration options within their tab. To fuzz multiple requests, you then simply need to send each one to Intruder, and choose "Start attack" from the Intruder menu.

Configuring an attack

The main Intruder UI lets you configure multiple attacks simultaneously, each in its own tab. When you send requests to Intruder, each one is opened in its own numbered tab. Each attack configuration tab contains several sub-tabs that are used to configure the attack. Use the links below for help on the details of each tab:

• Target - This is used to configure the details of the target server for the attack.
• Positions - This is used to configure the request template for the attack, together with payload positions, and the attack type (this determines the way in which payloads are assigned to payload positions).
• Payloads - This is used to configure one or more sets of payloads, which will be placed into payload positions during the attack.
• Options - This is used to configure numerous other options affecting the attack.

The easiest way to create a new Intruder attack is to select the relevant base request within another Burp tool (such as the Proxy history or Target site map), and use the "Send to Intruder" option on the context menu. This will create a new attack tab, and automatically populate the Target and Positions tabs with the relevant details about the base request. You can then modify the automatic payload positions if required, and configure suitable payloads and other attack options.

Burp Intruder has a number of functions to help you manage attack configurations. These functions are available via the Intruder menu:

• You can save the attack configuration for the current tab, and reload it later. When loading or saving, you can optionally include or exclude the payload positions settings. Including the payload positions settings lets you save the full configuration for a specific attack. Excluding the payload positions settings lets you save a generic attack configuration that can be reused for another base request template and payload positions - for example, your preferred configuration for fuzzing a particular type of request.
• You can copy attack configurations between two existing tabs, or into a new tab. Again, you can optionally include or exclude the payload positions settings.
• You can control how Intruder handles attack configurations when you open a new attack tab (by clicking on the right-most "..." tab, or sending a new request to Intruder). You can optionally use the default attack configuration, copy the configuration from the first open tab, or copy the configuration from the last open tab. Using the latter options lets you create a generic attack configuration (e.g. for fuzzing), and automatically apply this to each new request that you send to Intruder.

The attack tabs themselves are easy to manage. You can:

• Rename tabs by double-clicking the tab header.
• Reorder tabs by dragging them.
• Open a new tab by clicking on the right-most "..." tab.
• Close tabs by clicking the X button in the tab header.

Launching an attack

When your attack is fully configured, you can launch the attack by selecting "Start attack" from the Intruder menu.

Each attack runs in a new window, containing detailed results, with full requests and responses (if configured). There are various functions to help you analyze the results, and identify interesting items for further investigation. You can:

• Sort the results columns to order the items according to different attributes (HTTP status code, response length, etc.).
• Unhide additional results columns that are hidden by default.
• Define new match grep and extract grep items when the attack is already underway, to perform further analysis based on the observed results.
• Set a display filter and annotate results.
• Save the contents of the results table.
• Use the context menu to carry out other actions and integrate with your testing workflow.
• Professional Save the entire attack. To later reload a saved attack, select "Open saved attack" on the Intruder menu.