<\/span><\/h3>\n\n\n\nFirst, let\u2019s take a look at the setting interface of the Payload positions tab:<\/p>\n\n\n\n <\/figure>\n\n\n\nFrom the picture above, we can see that the setting of the Payload position is based on the original message of the HTTP request as the motherboard, using a pair of \u00a7 characters to mark the Payload position, these two numbers directly contain the text content of the motherboard.<\/p>\n\n\n\n
When we have marked a payload in a special position in the request message, when launching the attack, Burp Intruder will place a payload value in the given special position, replacing the entire position marked with the \u00a7 symbol. As shown in the figure above, the \u00a7 symbols after the parameter id indicate Payload position 1, and the \u00a7 symbols after name indicate Payload position 2.<\/p>\n\n\n\n
This value corresponds to the value of the Payload set in the Payload setting. We can edit the Payload location in the middle of the message editor, which is mainly controlled by the four buttons on the right.<\/p>\n\n\n\n
\n[Add \u00a7]\u2014\u2014Add a Payload position mark at the current cursor position<\/li>\n\n\n\n [Clear \u00a7]\u2014\u2014Clear all Payload location flags or clear the selected Payload location flags<\/li>\n\n\n\n [Auto \u00a7] – Make a guess about the parameters that may need to be marked in the message content. The mark is the Payload location. After the automatic setting, manual selection is made to determine which locations need to be passed in the Payload. Currently, Burp supports automatic selection of parameter types: 1. URL request parameters 2. Body parameters 3. Cookie parameters 4. Composite parameter attributes, such as file names when uploading files 5. XML data 6. JSON data Although Burp supports it by default These types of parameters are automatically marked as payload locations, but if they are for node attribute values \u200b\u200blike XML or JSON, they still need to be specified manually.<\/li>\n\n\n\n [Refresh]\u2014\u2014Refresh the colored part of the message content.<\/li>\n\n\n\n [Clear]\u2014\u2014Clear all contents in the message editor.<\/li>\n<\/ul>\n\n\n\nAbove the message editor, there is a drop-down selection box, Attack Type. Burp Intruder supports multiple methods of simulated attacks using payload. Currently, there are only the following 4 types.<\/p>\n\n\n\n
Sniper mode<\/strong> (Sniper) – It uses a set of Payload sets to replace the text marked by \u00a7 in the Payload position (only one Payload position can be used in an attack) (and the text that is not marked by \u00a7 will not be affected). The server makes a request, usually used to test whether there are vulnerabilities in the request parameters.<\/p>\n\n\n\nBattering ram mode<\/strong> (Battering ram) – It uses a single Payload set, replaces the text marked with \u00a7 in the Payload position (and the text that is not marked with \u00a7 will not be affected), makes a request to the server, and sniper The difference between the modes is that if there are multiple parameters and they are all Payload position flags, the Payload value used is the same, while the sniper mode can only use one Payload position flag.<\/p>\n\n\n\nPitchfork mode<\/strong> (Pitchfork) – It can use multiple sets of payload sets to traverse all payloads at each different payload mark position (up to 20). For example, if there are two Payload flag positions, the first Payload value is A and B, and the second Payload value is C and D, then when an attack is launched, a total of two attacks will be launched, and the Payload used in the first time will be They are A and C respectively, and the payloads used for the second time are B and D respectively.<\/p>\n\n\n\nCluster bomb mode<\/strong> (Cluster bomb) It can use multiple sets of payload sets to traverse all payloads in sequence at each different payload mark position (up to 20). The main difference from Pitchfork mode is that the payload data executed is the product of payload groups. For example, if there are two Payload flag positions, the first Payload value is A and B, and the second Payload value is C and D, then when an attack is launched, a total of four attacks will be launched, and the first Payload used will be They are A and C respectively, the payloads used for the second time are A and D respectively, the payloads used for the third time are B and C respectively, and the payloads used for the fourth time are B and D respectively.<\/p>\n\n\n\n<\/span>Burp Suite Intruder Options<\/span><\/h3>\n\n\n\nOptional settings mainly include request header settings, request engine settings, attack result settings, grep match, grep extract, grep payloads, and redirection settings. During use, you can make settings before attacking or adjust these options during the attack.<\/p>\n\n\n\n
Request Headers<\/strong> – This setting is mainly used to control the header information of the request message. It consists of two options: Update Content-Length header and Set Connection: close . If the Update Content-Length header is selected, Burp Intruder adds or updates the Content-Length header in each request to the correct value for the length of the HTTP body of the request.<\/p>\n\n\n\nThis feature is typically used for attacks that insert a variable-length payload into the body of a templated HTTP request. If the correct value is not specified, the target server may return an error and may respond with an incomplete request. Or it might wait indefinitely for a request to continue receiving data. Set Connection: close If selected, it means Burp Intruder adds or updates a connection header with a value of “close” in each request message, which will execute more quickly.<\/p>\n\n\n\n
In some cases (when the server itself does not return a valid Content-Length or Transfer-Encoding header), checking this option may allow attacks.<\/p>\n\n\n
\n
<\/figure><\/div>\n\n\nRequest Engine Settings<\/strong> (Request Engine) – This setting is mainly used to control Burp Intruder attacks. Proper use of these parameters can complete the attack process more effectively.<\/p>\n\n\n\nIt has the following parameters: Number of threads , Number of retries on network failure , number of retries when the network fails, Pause before retry, Pause interval before retry (milliseconds), Throttle between requests request delay (milliseconds), Start time, how long after launching the attack to start execution.<\/p>\n\n\n
\n
<\/figure><\/div>\n\n\nAttack Results Settings<\/strong> (Attack Results) – This setting is mainly used to control what information is captured from the attack results. Its parameters are: Store requests\/responses to save request\/response messages,<\/p>\n\n\n\nMake unmodified baseline to record the message content of the request motherboard, Use denial-of-service mode to use Dos mode, tore full payloads to store all Payload values.<\/p>\n\n\n
\n
<\/figure><\/div>\n\n\nGrep Match<\/strong> – This setting is mainly used to extract the result items from the response message. If they match, they are marked in a new column added in the attack results to facilitate sorting and data extraction. For example, in password guessing attacks, scanning messages such as “Password Incorrect” or “Login Successful” can find successful logins; in testing SQL injection vulnerabilities, scanning messages containing “ODBC”, “Error”, etc. can identify vulnerable parameters.<\/p>\n\n\n\nIts options include Match type to indicate matching expressions or simple strings, Case sensitive match to indicate whether it is case sensitive, and Exclude HTTP headers to include HTTP headers when matching.<\/p>\n\n\n
\n
<\/figure><\/div>\n\n\nGrep Extract<\/strong> \u2013 These settings can be used to extract useful information from response messages. For each item configured in the list, Burp increments a new result column containing the text extracted from that item. You can then sort the data extracted by this column (by clicking the column header).<\/p>\n\n\n\nThis option is useful from application data mining and can support a wide range of attacks. For example, if you are looping through a series of document IDs, you can extract the page titles of each document looking for interesting items. If you find a feature that returns user details for other applications, you can duplicate and retrieve the relevant user by user ID looking for administrative accounts and even passwords.<\/p>\n\n\n\n
If the “Forgot Password” function takes a username as a parameter and returns a user-configured password prompt, you can run through a list of common usernames and harvest all relevant password prompts, then visually browse the list looking for easily guessed ones. to the password.<\/p>\n\n\n
\n
<\/figure><\/div>\n\n\nGrep Payloads<\/strong> – These settings can be used to extract whether the response message contains the Payload value. For example, if you want to verify whether the reflective XSS script is successful, you can set this item. When this is set, a new column will be added in the response result list based on the number of Payload groups to display matching results. You can sort and search the result set by clicking on the column title.<\/p>\n\n\n\nThe setting items are similar to the previous one. It should be noted that Match against pre-URL-encoded payloads . If you configure URL-encode payloads when requesting a message, this means matching the Payload value before encoding, not after transcoding. value.<\/p>\n\n\n
\n
<\/figure><\/div>\n\n\nRedirections <\/strong>– These settings are mainly used to control how Burp handles redirections when executing attacks. In actual use, redirections must be followed to achieve the purpose of your attack.<\/p>\n\n\n\nFor example, in a password guessing attack, the result of each attempt may be that a wrong password will redirect the response to an error message prompt page, and if the password is correct, it will redirect to the home page of the user center. But setting up redirects may also encounter other problems.<\/p>\n\n\n\n
For example, in some cases, it may be necessary for the application to store the results of the initial request in your session and retrieve this value when providing the redirect response. Only use a single thread attack when redirecting. You may also encounter that when you set up a redirect, the application response will be redirected to the logout page. At this time, following the redirect may cause your session to be terminated. Because the setting options are basically the same as the redirection settings of other modules, they will not be repeated here.<\/p>\n\n\n
\n
<\/figure><\/div>\n\n\n<\/span>Intruder attack and result analysis<\/span><\/h3>\n\n\n\nThere are usually two ways to launch an attack. One is that you set Target, Positions, Payloads and Options in Burp Intruder, and then click [Start attack] to start the attack; the other is that you open a previously saved pre-attack file, and then click [Start attack] to start the attack. No matter which method of attack is launched, Burp will pop up the attack result interface. During the attack, you can also modify the attack configuration or perform other operations. The attack result interface is shown in the figure below:<\/p>\n\n\n
\n
<\/figure><\/div>\n\n\nAs we can see from the picture above, its interface mainly consists of four parts: menu area, filter, Payload execution result message recording area, and request\/response message area.<\/p>\n\n\n\n
\nThe menu area includes Attack menu, Save menu, and Columns menu. The Attack menu is mainly used to control attack behavior. You can pause the attack ( pause ), resume the attack ( resume ), and attack again ( repeat ). The Save menu is mainly used to save various data of the attack. Attack saves a copy of the current attack, and you can attack again from this file next time. The Results table saves the result list of the attack, which is equivalent to the data in the Payload execution result message recording area in the figure. Of course You can select rows and columns to save and export only the data you need; Server responses save all server response messages; Attack configuration saves the current attack configuration information. The Columns menu is mainly used to control the display columns of the message recording area. If a column is selected, it will be displayed in the Payload execution result message record area, otherwise it will not be displayed.<\/li>\n\n\n\n Filter – You can filter by query conditions, server response status code, and information annotated in the Payload execution result message record area.<\/li>\n\n\n\n The Payload execution result message recording area, also known as the Results Table, records all the information requested and responded when the Payload is executed. The columns it contains are: Request sequence – displays the sequence number of the request. If the record is not modified, it is configured. Requesting the message motherboard will be logged first. Payload location – Payload value will be recorded in sniper mode – if there are multiple Payloads, there will be multiple columns HTTP status code – server response status code Request time – the time to execute the attack Response time – start receiving the response Time in milliseconds. Response Completion Time – The time when the response is completed, in milliseconds. Network error – whether a network problem occurs when the payload is executed. Timeout – whether a network timeout occurs while waiting for a response. Length – the length of the response message . Cookie – any cookie information. Grep – if Grep matching and Grep extraction are set. , Grep Payload, there will be multiple columns showing matching information redirection – if redirection is configured, comments – the comment information of the message record will be displayed<\/li>\n\n\n\n Request\/response message area – refer to the relevant description in the Proxy chapter.<\/li>\n<\/ul>\n\n\n\nIn the analysis of the attack results, you can reorder the contents of the table by clicking on any column header (clicking on the header cycles through ascending sorted, descending sorted and unsorted). A key part of effectively interpreting the results of an attack is locating valid or successful server responses and determining which requests generated these. Valid responses can usually differ by at least one of the following: 1. Different HTTP status codes 2. Responses of different lengths 3. The presence or absence of certain expressions 4. The occurrence of errors or timeouts 5. Used to receive or Differences in Completion Response Times For example, during a URL path scan, a request for a resource that does not exist may return a “404 Not Found” response, or the correct URL may return a “200 OK” response. Or in a password guessing attack, a failed login attempt might generate a “200 OK” response containing the “Login Failed” keyword, while a successful login might generate a “302 Object Moved” response, or a different “200 OK” “Response page.<\/p>\n\n\n\n
Each penetration tester may analyze Burp Intruder attack results differently, mainly due to differences in personal level and experience. In actual combat, only by slowly trying and accumulating can you quickly analyze the attack results to obtain the important information you care about.<\/p>\n","protected":false},"excerpt":{"rendered":"
Burp Suite Intruder is a module within the Burp Suite toolkit that specializes in automated attacks against web applications. It’s the go-to tool for performing brute force attacks, fuzzing, and other types of automated testing to identify vulnerabilities and weaknesses in web applications. This tool actually gives you attack requests, for example; If you have […]<\/p>\n","protected":false},"author":3,"featured_media":6270,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"pgc_meta":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"full-width-content","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[12],"tags":[223],"yoast_head":"\n
How to use Burp Suite Intruder - KaliTut<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n \n \n \n \n \n\t \n\t \n\t \n