TryHackMe: Burp Suite: Intruder

Ayan Mukherjee
8 min readNov 6, 2023

Intruder is an important part of Burp Suite. But in general, except just to do a simple recursive requests, Intruder can be made much refined to perform more complex tasks. The room link is https://tryhackme.com/room/burpsuiteintruder

INTRODUCTION

Burp Suite’s Intruder module is a powerful tool that allows for automated and customisable attacks. It provides the ability to modify specific parts of a request and perform repetitive tests with variations of input data. Intruder is particularly useful for tasks like fuzzing and brute-forcing, where different values need to be tested against a target.

No Answer required for this section

WHAT IS INTRUDER

Intruder is Burp Suite’s built-in fuzzing tool that allows for automated request modification and repetitive testing with variations in input values. By using a captured request (often from the Proxy module), Intruder can send multiple requests with slightly altered values based on user-defined configurations. It serves various purposes, such as brute-forcing login forms by substituting username and password fields with values from a wordlist or performing fuzzing attacks using wordlists to test subdirectories, endpoints, or virtual hosts. Intruder’s functionality is comparable to command-line tools like Wfuzz or ffuf.

However, it’s important to note that while Intruder can be used with Burp Community Edition, it is rate-limited, significantly reducing its speed compared to Burp Professional. This limitation often leads security practitioners to rely on other tools for fuzzing and brute-forcing. Nonetheless, Intruder remains a valuable tool and is worth learning how to use it effectively.

There are 4 major tabs in Intruder namely : Positions, Payloads, Resource Pool, Settings. We will learn Positions and Payload in details in below sections.

POSITIONS

This tab allows us to select an attack type (which we will cover in a future task) and configure where we want to insert our payloads in the request template. When using Burp Suite Intruder to perform an attack, the first step is to examine the positions within the request where we want to insert our payloads. These positions inform Intruder about the locations where our payloads will be introduced

On the right-hand side of the interface, we find the following buttons: Add §, Clear §, and Auto §:

  • The Add § button allows us to define new positions manually by highlighting them within the request editor and then clicking the button.
  • The Clear § button removes all defined positions, providing a blank canvas where we can define our own positions.
  • The Auto § button automatically attempts to identify the most likely positions based on the request. This feature is helpful if we previously cleared the default positions and want them back.

PAYLOADS

Here we can select values to insert into the positions defined in the Positions tab. We have various payload options, such as loading items from a wordlist. The way these payloads are inserted into the template depends on the attack type chosen in the Positions tab. The Payloads tab also enables us to modify Intruder’s behavior regarding payloads, such as defining pre-processing rules for each payload (e.g., adding a prefix or suffix, performing match and replace, or skipping payloads based on a defined regex).

Payload Sets: This section allows us to choose the position for which we want to configure a payload set and select the type of payload we want to use.

Payload settings: This section provides options specific to the selected payload type for the current payload set.

Payload Processing: In this section, we can define rules to be applied to each payload in the set before it is sent to the target.

Payload Encoding: The section allows us to customize the encoding options for our payloads.

SNIPER

The Sniper attack type is the default and most commonly used attack type in Burp Suite Intruder. It is particularly effective for single-position attacks, such as password brute-force or fuzzing for API endpoints. In a Sniper attack, we provide a set of payloads, which can be a wordlist or a range of numbers, and Intruder inserts each payload into each defined position in the request. The total number of requests made by Intruder Sniper can be calculated as requests = numberOfWords * numberOfPositions.

The Sniper attack type is beneficial when we want to perform tests with single-position attacks, utilizing different payloads for each position. It allows for precise testing and analysis of different payload variations.

BATTERING RAM

The Battering ram attack type in Burp Suite Intruder differs from Sniper in that it places the same payload in every position simultaneously, rather than substituting each payload into each position in turn. In a Battering Ram attack, the same payload is thrown at every defined position simultaneously, providing a brute-force-like approach to testing.

The Battering Ram attack type is useful when we want to test the same payload against multiple positions at once without the need for sequential substitution.

PITCHFORK

The Pitchfork attack type in Burp Suite Intruder is similar to having multiple Sniper attacks running simultaneously. While Sniper uses one payload set to test all positions simultaneously, Pitchfork utilises one payload set per position (up to a maximum of 20) and iterates through them all simultaneously. Pitchfork takes the first item from each list and substitutes them into the request, one per position. It then repeats this process for the next request by taking the second item from each list and substituting it into the template. Intruder continues this iteration until one or all of the lists run out of items. It’s important to note that Intruder stops testing as soon as one of the lists is complete. Therefore, in Pitchfork attacks, it is ideal for the payload sets to have the same length. If the lengths of the payload sets differ, Intruder will only make requests until the shorter list is exhausted, and the remaining items in the longer list will not be tested.

The Pitchfork attack type is especially useful when conducting credential-stuffing attacks or when multiple positions require separate payload sets. It allows for simultaneous testing of multiple positions with different payloads.

CLUSTER BOMB

The Cluster bomb attack type in Burp Suite Intruder allows us to choose multiple payload sets, one per position (up to a maximum of 20). Unlike Pitchfork, where all payload sets are tested simultaneously, Cluster bomb iterates through each payload set individually, ensuring that every possible combination of payloads is tested.

the Cluster bomb attack type iterates through every combination of the provided payload sets. It tests every possibility by substituting each value from each payload set into the corresponding position in the request.

Cluster bomb attacks can generate a significant amount of traffic as it tests every combination. The number of requests made by a Cluster bomb attack can be calculated by multiplying the number of lines in each payload set together. It’s important to be cautious when using this attack type, especially when dealing with large payload sets. Additionally, when using Burp Community and its Intruder rate-limiting, the execution of a Cluster bomb attack with a moderately sized payload set can take a significantly longer time.

The Cluster bomb attack type is particularly useful for credential brute-forcing scenarios where the mapping between usernames and passwords is unknown.

INTRODUCTION TO ATTACK TYPES

Just as a brief summary.

  1. Sniper: The Sniper attack type is the default and most commonly used option. It cycles through the payloads, inserting one payload at a time into each position defined in the request. Sniper attacks iterate through all the payloads in a linear fashion, allowing for precise and focused testing.
  2. Battering ram: The Battering ram attack type differs from Sniper in that it sends all payloads simultaneously, each payload inserted into its respective position. This attack type is useful when testing for race conditions or when payloads need to be sent concurrently.
  3. Pitchfork: The Pitchfork attack type enables the simultaneous testing of multiple positions with different payloads. It allows the tester to define multiple payload sets, each associated with a specific position in the request. Pitchfork attacks are effective when there are distinct parameters that need separate testing.
  4. Cluster bomb: The Cluster bomb attack type combines the Sniper and Pitchfork approaches. It performs a Sniper-like attack on each position but simultaneously tests all payloads from each set. This attack type is useful when multiple positions have different payloads, and we want to test them all together.

PRACTICAL EXAMPLE

This example shows how to perform basics Intruder Tasks. It helps to learn in a step by step method, how to load worklist for various position. Its highly recommended to do a Hand-on practice on all the rest of the practical examples.

PRACTICAL CHALLENGE

It tells about what kind of vulnerabilities which can happen vulnerabilities which can happen when you open support tickets like IDOR.

EXTRA MILE CHALLENGE

This Tasks helps the user to learn how to configure Macro for a Burp Suite Intruder. This is an helpful functionality when considering ever changing Cookies and Tokens in the requests.

ITS HIGHLY RECOMMENDED TO GO THROUGH THE SECTION AND PRACTICE THE CHALLENGE. THE ANSWER PASTED HERE IS JUST TO HELP IN CASE NOTHING WORKS OUT.

--

--