How to Use Burp Suite’s Intruder Tool to Pentest Web Apps
Overview
Burp Suite is a potent vulnerability scanner created by Portswigger that is used to evaluate the security of online applications. Burp Suite offers a tool called Intruder that lets you conduct automated customized attacks against web apps for ethical hacking. This tool is included with distributions like Kali and Parrot. The Intruder is a versatile and customizable tool that may be used to automate any job that arises while testing software.
So how exactly does it operate?
It functions by snooping on HTTP and HTTPS traffic between a web application and a browser, giving the user access to requests and answers for inspection, modification, and replay. A web application scanner, an intercepting proxy, and a proxy server are all included in the program. The user may intercept and analyze traffic with a proxy server, alter requests and answers with an intercepting proxy, and find vulnerabilities in a web application automatically using a scanner. A spider for crawling online applications and a repeater for resending requests are just a few of the other tools that are included in Burp Suite for testing and modifying web apps.
Using Burp Suite’s Intruder
Burp Suite’s Target page, which you may access via the Intruder tab, has details on the target website or application that you wish to test. Under “Payload Positions,” you may provide the host information and port number as the target.
Why Is Burp Suite Such an Important Tool?
Burp Suite is an important tool for web application security testing because it allows testers to intercept and modify network traffic between a web browser and a web application. This allows testers to identify vulnerabilities in web applications such as SQL injection, cross-site scripting (XSS), and insecure session management. Additionally, Burp Suite provides a variety of other features such as automated crawling, scanning, and reporting that make it a comprehensive tool for testing the security of web applications.
Using Intruder’s Positions Tab
You can examine the different attack methods, the request template, and the targeted parameter information under the Positions tab. These are the several attacks that Burp Suite allows you to test.
Sniper: The parameter for this option is one. In this instance, untargeted parameters are unaffected.
Battling ram: This strategy employs a single assault vector for all parameters that are being targeted. In other words, if the request template has three targeted parameters, all three are attacked simultaneously using the same attack vectors.
Pitchfork: For all of the targeted parameters, this option allows for the usage of several attack vectors. The first request would be to choose and insert the first element of the first list for the first parameter, the first element of the second list for the second parameter, and the first element of the third list for the third parameter if you believe there are three targeted parameters in the request template. The second item on each list will be the items that must be chosen in the second request. This attack type may be used when using several vectors on various target parameters.
Cluster bomb: With this option, you may use more than one attack vector for each of the targeted parameters. A cluster bomb is different from the Pitchfork option in that you may change all combination distributions. Unlike Pitchfork, it doesn’t make decisions in a linear order. It may generate a tremendous amount of request load to try every potential set of target parameters. You should use this option with care as a consequence.
Other helpful buttons may be found on the Positions screen. The Clear button is located on the right and allows you to delete any specified parameter. The Add button on the right may also be used to target a new one. Use the Auto button to pick all fields automatically or to reset them to their default values.
What Do the Burp Suite Payloads Tabs Do?
Payload lists may be compared to wordlists. One or more payload lists may be created using the Payloads tab. Depending on the kind of assault, there are different amounts of payload sets.
A payload set may be defined in one or more different ways. If your wordlist is robust, you may import it by choosing the Load option under the “Payload Options” heading.
For the specified parameters, you may also construct several payload sets. For the first target parameter, for instance, you can only use numeric expressions, however for the second target parameter, you may use complicated expressions.
Payload Processing
With the use of rules and encodings, the payload sets defined using Payload Processing may be expanded further. You might, for instance, prefix all payloads, encrypt and decrypt them, or omit phrases that pass certain regexes.
Payload Encoding
Payload Encoding makes it simple to define which characters should be URL encoded in the parameters when sending HTTP requests to the target. A modified version of data that can be mistaken for the address is known as URL encoding. By default, Burp Suite delivers the URL with counterparts of symbols like ampersands (&), asterisks (*), semicolons (;), and colons (:) encoded.
What Does Intruder’s Options Tab Do?
Request headers, attack outcomes, grep matches, and redirects are all selectable under the Options tab. Before beginning a scan, you may alter settings via the Intruder interface.
The options in the “Request Headers” column may be used to configure the request headers. The Content-Length header is crucial to keep in mind since if the content is not correctly updated, the destination URL can return an error.
The connection is closed when the Set-Connection option is activated because if the connection information is not utilized, it can stay open. You can, however, complete transactions a little more quickly.
Error Handling
The engine used to create HTTP requests during Intruder scans is controlled by the parameters in the “Error Handling” section. You may control variables like the attack’s length, intensity, and speed here.
Attack Results
You may control what details appear in the scan results by using the “Attack Results” section. The following choices are available for these setup settings:
- Store requests/responses: These two choices allow you to determine whether or not the content of scan requests and answers should be saved.
- Make unmodified baseline requests: This allows you to compare scan answers since it includes the preset scan requests as well as the baseline values of the targeted parameters.
- Use denial-of-service mode: You are able to submit a typical scan request using this option. However, since this method wears out the target server, it could abruptly shut down before receiving a response. You must thus utilize it wisely.
- Store full payloads: Burp Suite is able to record the precise payload values for each result thanks to this. If you choose this, Intruder will occupy more space.
Grep — Match, Extract, Payloads
The “Grep — Match,” “Grep — Extract,” and “Grep — Payloads” options may be used to flag results that include terms that are defined in scan answers. For each item you set, Burp Suite will add a confirmation column, letting you know whether the item was located in the response. For instance, phrases like “incorrect password” and “successful login” may appear in password assaults. The Grep-Match section has the following features:
- Match type: This identifies whether the specified expressions are text expressions or regular expressions (regex).
- Case-sensitive match: This indicates whether or not to use case-sensitive language.
- Exclude HTTP header: If the header lines are excluded from this procedure, then specify that.
References
Bug Zero is a bug bounty, crowdsourcing platform for security testing. The platform is the intermediatory entity that enables client organizations to publish their service endpoints so that bug hunters (security researchers / ethical hackers) registered in the platform can start testing the endpoints without any upfront charge. Bug hunters can start testing as soon as a client organization publishes a new program. Bug Zero also offers private bug bounty programs for organizations with high-security requirements.
Bug Zero is available for both hackers and organizations.
For organizations and hackers, register with Bug Zero for free, and let’s make cyberspace safe.
