After this lesson, you will be able to: Use Burp Intruder for automated customized attacks: positions and payloads, the four attack types (Sniper, Battering Ram, Pitchfork, Cluster Bomb), Grep-Match/Extract, and the Community rate-limit workaround.
Intruder automates sending a request many times with different payloads. This lesson covers positions and payload sets, the four attack types and when to use each, finding successes with Grep-Match, and working around Community's throttle.
Send a request to Intruder, mark one or more positions with the § markers, and define a payload list. Intruder then sends the request once per payload, substituting it into the marked position(s). This automates the repetitive testing you would otherwise do by hand in Repeater: trying a list of usernames, passwords, payloads, or values.
Sniper: one payload set, one position at a time (test a single parameter against a list). Battering Ram: one payload set placed into all positions at once (same value everywhere). Pitchfork: multiple payload sets, one per position, iterated in parallel by line (credential stuffing: username list and password list matched line by line). Cluster Bomb: multiple payload sets, every combination (brute forcing every username/password pair). Choosing the right type is the core skill.
Payload types include a simple list, a runtime file, numbers, dates, the character frobber, recursive grep, and a username generator. After the attack runs, you find the successful payload by sorting on response length or status, or with Grep-Match (flag responses containing a string like 'Welcome') and Grep-Extract (pull a value out of each response to use later). The needle is usually an outlier in length or status.
Community deliberately throttles Intruder to a slow rate; Professional removes it. For learning, the throttle is fine. When you need speed in Community, the Turbo Intruder extension sends requests at high speed via a short Python script and is the standard workaround (covered in the fuzzing lesson). Know the limitation so a slow Community attack does not confuse you.
Use a PortSwigger authentication lab.
1. Find the login request and send it to Intruder.
2. Sniper mode on the username position with a username wordlist; identify valid usernames by a different response length or message (Grep-Match on the error text).
3. Switch to Pitchfork with the valid username list plus a password list, matched line by line, to credential stuff.
4. Find the success by the outlier response (a redirect or different length).
5. Compare the effort to doing this by hand: Intruder is the automation layer over Repeater.
Pick one.
Using Cluster Bomb when Pitchfork (line-by-line) was intended, multiplying requests needlessly. Not setting a Grep-Match, then hunting manually through thousands of responses. Forgetting Community's throttle and thinking the attack hung. Marking the wrong position. Running a large Intruder attack against a real target without authorization. Ignoring response length as the fastest success signal.
Sign in and purchase access to unlock this lesson.