Burp Intruder Attack Types

Wed 9th Nov 11

I use Burp Intruder quite lot when doing web app tests but for some reason I always have to stop and think which attack mode I need when going after multiple parameters so figured if I write it down then it may help me remember what is what and help other people who aren't sure.

To show the different modes I'll use this very simple form:

<form method="post" action="/burp_test.php">
	Username: <input name="username" value="" type="text" /><br />
	Password: <input name="password" value="" type="password" /><br />
	<input type="submit" value="login" />
</form>

And I'll use two word lists, users:

  • fred
  • joe
  • george
  • guest

and passwords:

  • password
  • admin
  • guest
  • god
  • letmein

Even though here I am talking about just two parameters it should be easy for people to extrapolate these examples out to more.

Sniper

Sniper mode takes a single input list and uses it against each parameter in turn, leaving the rest of the parameters as their default value. For my four word user list it will make eight requests, four against the username field and four against the password field.

Burp Interceptor sniper attack mode

Battering Ram

Battering Ram also takes a single list but it uses each word against every parameter in a single request so this time there will only be four requests for my four usernames.

Burp Interceptor battering ram attack mode

Pitchfork

Pitchfork is similar to Battering Ram but this time taking a list of words per parameter. If the lists do not match in length then the requests will stop when the shorter list runs out. In this example it will make four requests.

Burp Interceptor pitchfork attack mode

Cluster Bomb

Finally Cluster Bomb mode, this is the one you would expect to use in this scenario. It takes two lists and runs every word in the first list against every word in the second, i.e. your standard password brute force attack. Four usernames with five passwords makes a total of 20 requests.

Burp Interceptor cluster bomb attack mode

Recent Archive

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.