Understanding Burp Suite Intruder Attack Types

Burp Suite is one of the most popular intercepting proxies out there and it features an Intruder option which allows us to enumerate over parameters with payloads from wordlists. This Intruder option is very powerful, extensive and could be used in a lot of various combinations to produce some amazing results. In this article, we’re going to be looking at the different attack types Intruder features.

The Burp Suite’s Intruder option comes with 4 attack modes, viz.,

  • Sniper
  • Battering Ram
  • Pitchfork
  • Cluster Bomb

We’re going to take a closer look at them, for which we’re going to use the following request and wordlists.

The request

POST /node?destination=node HTTP/1.1
Host: 192.168.40.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.40.130/
Cookie: SESSfc1efd5491f0d14e0f1159632900f35a=u19ovnibghqctj7ub20ucs80m3
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 112

name=mangoes&pass=mangoes&op=Log+in&form_build_id=form-8c177326bb0bd4b4f5b60a0e8c842bdd&form_id=user_login_block

We’re going to enumerate the values submitted to the two parameters - name and pass for which we’re going to use the following wordlists.

Wordlist 1

apple
banana
cherries
dates
mangoes

Wordlist 2

carrots
cauliflower
potatoes
chillies
onions

The request and the wordlists we are using might not be the best example of a real-world scenario where you’d use the Burp Intruder, but our goal is to understand the attack types and it serves that purpose well enough.

Sniper

Wordlists: Single

The sniper attack enumerates over each parameter, one at a time. So if you have multiple parameters, it will enumerate the first parameter with all the payloads from the wordlist supplied and then move on to the second and so on.

Format:

1st request - param1=wordlist[0]&param2=
2nd request - param1=wordlist[1]&param2=
...

After enumerating through param1 with all the payloads from wordlist,

1st request - param1=&param2=wordlist[0]
2nd request - param1=&param2=wordlist[1]
...

sniper-reqs

Battering Ram

Wordlists: Single

The battering ram attack enumerates over multiple parameters with the same payload for all the parameters.

Format:

1st req - param1=wordlist[0]&param2=wordlist[0]
2nd req - param1=wordlist[1]&param2=wordlist[1]
...

battering-ram-reqs

Pitchfork

Wordlists: Multiple

The pitchfork attack type enumerates over multiple parameters at the same time using different payloads for each parameter at the same time.

Format:

1st request - param1=wordlist1[0]&param2=wordlist2[0] 
2nd request - param1=wordlist1[1]&param2=wordlist2[1]
...

pitchfork-reqs

Cluster Bomb

Wordlists: Multiple

The cluster bomb attack type enumerates over multiple parameters by using all the possible combinations of payloads from the multiple wordlists.

So if you have multiple parameters, it will enumerate over one of the parameters with all the payloads from its respective wordlist, while the other parameters have the first payload from their respective wordlists loaded.

Format:

1st request - param1=wordlist1[0]&param2=wordlist2[0]
2nd request - param1=wordlist1[1]&param2=wordlist2[0]
3rd request - param1=wordlist1[2]&param2=wordlist2[0]
...

After enumerating through param1 with all the payloads from wordlist1,

1st request - param1=wordlist1[0]&param2=wordlist2[1]
2nd request - param1=wordlist1[1]&param2=wordlist2[1]
3rd request - param1=wordlist1[2]&param2=wordlist2[1]
...

cluster-bomb-reqs


Share on

           

comments powered by Disqus