(+91) 704-174-0267
[email protected]
My Account
CyberPedia logo
CyberPedia
  • Home
  • About Us
  • Our Course
    • Skilled Based Courses
      • Advanced Course
      • Beginner Course
      • Master Course
    • Job Guarantee
      • Offensive Security Analyst
      • VAPT Consultant Course
      • Cyber Security Analyst Offense Course
    • Certification Course
      • bug bounty course
  • CyberPedia App
  • Our Partners
  • Our Blog
  • Contact
  • Home
  • About Us
  • Our Course
  • CyberPedia App
  • Our Partners
  • Our Blog
  • Contact

Burp 106: BurpSuite Intruder for Application Security Testing

Posted on September 11, 2024
No Comments

 

Intruder is incredibly useful for automating attacks. For a useful walk-through of how it works, I will use one of the PortSwigger web academy labs as a demonstration.

In this example, I have found an issue on their login page. When I provide a username that doesn’t exist the response (line 53) tells me that I provided an “Incorrect username”. That means I can try to log in with a list of usernames until I get a different response that might be something like “Incorrect password”.

To do this, I right-click on the request and select Send to Intruder.

In the intruder tab, I can select the type of attack I want to use. Each has a summary of what the attack does. In my case, I want to use a single list of payloads (usernames) in one payload position (the username field), so I will use the Sniper attack.

Next, you can select the payload position where you want the payload to end up. In my case I want to use the username field, so I will select whatever text is already there and click on the Add § button on the right. The “§” character is used by intruder to tell where the payload positions are, so you can also copy and paste the character and place it manually.

After that, we can go over to the Payloads tab to select what payloads we want to insert into the selected positions.

There is a huge list of payload types you can use based on what type of data you want to populate in the field you have selected for the payload position. You can have iterating numbers, wordlists, brute forcers, and character frobbers which can be used to change one character at a time in an input to see what characters affect behavior.

In my case, I want to use a wordlist of usernames, so I will go with a Simple list.

PortSwigger provides a username wordlist to use for the labs so you don’t have to spend a huge amount of time brute forcing, so I will just paste that in the Payload settings [Simple list].

In my case, I won’t need any payload processing. That said, this is definitely one of the areas where BurpSuite shines. You can add complex logic here about how to process the payload which can allow you to carry out very involved attacks.

One good example of this is attacks on JSON web tokens. Say you have a username stored in a JWT that is not properly signed. You can brute force the username with a simple wordlist, but then with each username you can add the rest of the JWT as a prefix and suffix and then Base64 encode the entire JWT before adding it into the request.

Next, we can use the Resource pool tab to set how many concurrent requests we want to send, as well as add delays between requests or throttling when we start to see certain error messages. In my case, I will bring my resource pool down to a single concurrent request to avoid errors, since my wordlist is small.

The Settings tab allows us to add even more complex logic to our attack. For my attack I will use the Grep — Extract section of the settings to open up the original response I got and select the “Invalid username” we were seeing before.

By clicking the Extract the following items from responses: checkbox, this string will be read from the responses in the table of results after we run the attack, and then I can just sort by rows of the table that don’t include this string to find the valid usernames.

The Settings tab also allows you to do the following:

  • Retry failed connections
  • Flag found strings in the response with Grep-Match (This works like Grep-extract but instead of adding the found string to the table, it adds a 0 or 1 to the table if it is found or missing)
  • Flag results that include the used payload. You can use this to search for reflected XSS with a wordlist of payloads
  • Follow redirections

If we click on the Start attack button when we are done with the settings, we will see the results window pop up. As you can see the Grep — Extract is pulling the “Invalid username” from the response into another column. If I sort that column you can see that one username had a different response because the username is valid.

If I go back to the payload in intruder and put admin in the username field and set the password field as the payload position, I can add the provided password wordlist as the payload and run the attack again.

As you can see, the admin password did not give us the “Incorrect password” error, so we can try to log in with test:test and we successfully log in and solve the lab.

The Burp Suite Intruder Component stands out as a powerful tool for automating attacks and customizing your testing efforts. Whether you’re brute-forcing login credentials, fuzzing inputs, or probing for vulnerabilities, Intruder gives you the flexibility and control needed to launch targeted, efficient attacks.

In the next blog, we’ll dive into the Decoder Component, a tool that helps you quickly decode or encode data formats, making it easier to handle encrypted or encoded information during your security assessments. Stay tuned as we explore how Decoder can streamline your workflow.

Thanks for reading, and happy testing!

 

Author

  • Rushik Patel
    Rushik Patel

    View all posts
Previous Post
Burp 105 : Burp Suite Repeater Guide
Next Post
Burp 107: BurpSuite Decoder, Sequencer and Comparer

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Recent Posts

  • Insecure Deserialization Attacks October 14, 2024
  • HTTP Desync Attacks, Also known as HTTP Request Smuggling September 18, 2024
  • A Nerd’s Guide To Cracking CTF Challenges Part-1 September 17, 2024
  • Burp 107: BurpSuite Decoder, Sequencer and Comparer September 13, 2024
  • Burp 106: BurpSuite Intruder for Application Security Testing September 11, 2024

Categories

  • Cloud (2)
  • CTF (1)
  • Red Team (5)
  • Uncategorized (1)
  • Web (9)
Cyber Security Internship and training

Contacts

[email protected]
+91 91046 20267
215-216, 2nd floor, Pushti Sparsh Acade, BRTS Stop, opposite Rathi Apartment, Dharm Nagar II, Sabarmati, Ahmedabad, Gujarat 380005
Facebook
Instagram
YouTube

Quick Links

  • About Us
  • Contact Us
  • Privacy Policy
  • Terms of Service
  • Refund Policy
  • Cancellation Policy
  • Pricing Policy

Download