© Sagar Rahalkar 2021
S. RahalkarA Complete Guide to Burp Suite https://doi.org/10.1007/978-1-4842-6402-7_5

5. Intruder

Sagar Rahalkar1 
(1)
Pune, Maharashtra, India
 

In the last chapter, we saw some basics about the Burp Suite dashboard, target, and engagement tools. Now that we have seen the basics of intercepting requests and interpreting the summary on the dashboard, we will move ahead with using the Intruder tool. Intruder has advanced fuzzing capabilities that can be used in various attack scenarios.

Introduction to Intruder

Before we get into the details of various options within Intruder, it’s important to understand what Intruder is and how it can be helpful in web application security testing. Intruder is part of Burp Suite, which can be used effectively for fuzzing and performing a brute force attack.

There might be an application with a login page wherein the user needs to enter credentials to proceed further. From a security testing perspective, it would be worthwhile to test this login page for default credentials, weak passwords, or lockout mechanisms. This is where Intruder can come in handy. Given a list of usernames and passwords, Intruder can try all those combinations to see if any of them match.

We can also consider another scenario wherein we have an interesting request that we wish to investigate further to check if it’s vulnerable to SQL injection or cross-site scripting. Again, Intruder can help with this. We can simply point Intruder to the URL and parameter we wish to test and feed it with a list of SQL injection or cross- site scripting payloads. It will then try and insert all the payloads we provided into the parameter we want to test and get us the responses. Once this is done, we need to check the responses to see if any of the payload actually resulted in exploitation of the vulnerability.

Thus Intruder tremendously helps in any of the test scenarios where we have two of the following things:
  1. 1.

    A URL and a parameter to test

     
  2. 2.

    List of payloads to be submitted to the parameter

     
Now let’s try to understand how we can send a request to Intruder. We have already seen the target tab and the hotkeys in previous chapters. Any request can be sent to Intruder in two ways:
  1. 1.
    Right-click the request you wish to send and click on ‘Send to Intruder’ as shown in Figure 5-1.
    ../images/501078_1_En_5_Chapter/501078_1_En_5_Fig1_HTML.jpg
    Figure 5-1

    Send request to Intruder

     
  2. 2.

    Select the request you want to send and press the hotkey combination ‘Ctrl + I’.

     

Now that we have sent the request to Intruder, let’s see what options need to be configured further.

Target Tab

The first tab in Intruder is the Target tab. This lists the target URL and port that we wish to attack through Intruder as shown in Figure 5-2.
../images/501078_1_En_5_Chapter/501078_1_En_5_Fig2_HTML.jpg
Figure 5-2

Configuring the attack target in Intruder

There’s also an option to use HTTPS in case the target URL is using a secure communication channel.

Positions

The next tab within Intruder is the Positions tab as shown in Figure 5-3.
../images/501078_1_En_5_Chapter/501078_1_En_5_Fig3_HTML.jpg
Figure 5-3

Configuring the positions in Intruder

Whenever a request is sent to Intruder, it scans the request for probable insertion points and marks them as variables preceding and ending with the ‘$’ sign. There are three options with regard to selecting the insertion points:
  1. 1.

    Add $ – This option is used to add a new insertion point. Simply point the cursor to the start and end of the insertion point and click on ‘Add $’.

     
  2. 2.

    Clear $ – This option will simply remove all the insertion points that were either selected manually or automatically.

     
  3. 3.

    Auto $ – This option will scan the request and try to automatically set insertion points marking them with the ‘$’ sign.

     
Once we are sure about the insertion points or parameters that we want to target, the next step is selecting the type of attack. There are four different attack types available as shown in Figure 5-4.
../images/501078_1_En_5_Chapter/501078_1_En_5_Fig4_HTML.jpg
Figure 5-4

Selecting the attack type in Intruder

The four attack types are the following:
  1. 1.

    Sniper – This type of attack uses a single set of payloads. In this case Intruder inserts payloads into each of the insertion points at once and then iterates through it.

     
  2. 2.

    Battering ram – This type of attack uses a single set of payloads. In this case Intruder iterates through payloads by inserting the same payload at all insertion points at once.

     
  3. 3.

    Pitchfork – This type of attack uses multiple sets of payloads. In this case Intruder uses different payload for each of the insertion points.

     
  4. 4.

    Cluster bomb – This type of attack uses multiple sets of payloads. For each of the defined insertion points, there’s a different payload set. Intruder iterates through each of the payload sets and all permutations of payload combinations are then tested. Due to the number of possible permutations and combinations in the case of a cluster bomb, a large number of requests would be generated.

     
Choosing the correct attack type depends on the attack scenario and the number of insertion points that need to be targeted simultaneously. See Figure 5-5.
../images/501078_1_En_5_Chapter/501078_1_En_5_Fig5_HTML.jpg
Figure 5-5

Attack type and positions in Intruder

Once the payload positions are configured and type of attack is selected, we can move ahead to configuring the actual payloads.

Payloads

Payload is the data that Intruder would iteratively insert in the selected insertion points. Payloads can differ widely based on the scenario or the attack that we are targeting. In the case of the login page that we are discussing, the payload would be a list of probable passwords. Burp Suite provides various payload types and the most commonly used one is the list. You can create your own list by adding elements one at a time as shown in Figure 5-6 or you can also select a predefined list that Burp Suite offers readily.
../images/501078_1_En_5_Chapter/501078_1_En_5_Fig6_HTML.jpg
Figure 5-6

Selecting payloads in Intruder

Burp Suite has several predefined lists in the form of usernames, passwords, short words, fuzzing payloads for SQL injection and cross-site scripting, directories, extensions, etc. Depending on the type of attack, we can either use the predefined list or create our own list as shown in Figure 5-7.
../images/501078_1_En_5_Chapter/501078_1_En_5_Fig7_HTML.jpg
Figure 5-7

Selecting Intruder payloads from various options

Now that we have configured the positions as well as the payloads, we can launch the attack by clicking the ‘Start attack’ button. A new window will pop up as shown in Figure 5-8, and the payloads we provided will be submitted in insertion points we defined earlier – one request at a time.
../images/501078_1_En_5_Chapter/501078_1_En_5_Fig8_HTML.jpg
Figure 5-8

Intruder attack results

From Figure 5-8, we can see that Intruder sent five requests each with a different payload. Upon observing and comparing the content length, we can notice that for payload ‘admin’ the response was different. Hence it could be the password for the admin user we are trying to log in. We can then easily verify this by manually logging into the target application.

Options

The last part of Intruder is the ‘Options’ tab. We have already seen that Intruder works as a fuzzing tool or it can perform a brute force attack. This implies the Burp Suite engine would have to send a large number of requests, await the responses, and then process them based on a predefined ruleset. The ‘Request Engine’ option as shown in Figure 5-9 helps configure the number of parallel threads, number of retries on the network failure, and pause before the retry duration. The values as shown in Figure 5-9 are default and preconfigured. However depending on specific use cases, these values can be tailored accordingly.
../images/501078_1_En_5_Chapter/501078_1_En_5_Fig9_HTML.jpg
Figure 5-9

Intruder configuration options

Intruder sends a large number of requests to the target along with several permutations and combinations of payloads. The responses can be overwhelming to go through. This is where the ‘Grep Match’ feature comes in handy as shown in Figure 5-10. With this feature we can configure the Intruder engine to flag or highlight interesting responses having keywords like error, exception, illegal, fail, stack, access, directory, etc. If Intruder finds these keywords in any of the responses, they will be explicitly highlighted, making the analysis much easier.
../images/501078_1_En_5_Chapter/501078_1_En_5_Fig10_HTML.jpg
Figure 5-10

Extracting relevant data from Intruder results

Summary

In this chapter we learned about using the Intruder tool to perform fuzzing and brute force attacks. We started off the chapter by learning how to send requests to Intruder, configuring positions, payloads, and finally launching the attack and interpreting the results. We also saw some of the configurable options for Intruder.

In the next chapter we’ll see some additional useful tools within the Burp Suite like Repeater, Comparer, Decoder, and Sequencer.

Exercises

  1. 1.

    Use Intruder to detect cross-site scripting vulnerability in any of the vulnerable applications.

     
  2. 2.

    Use Intruder to detect SQL injection vulnerability in any of the vulnerable applications.

     
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.113.197