YOU ARE HERE: HOMEBurp Suite Pro, Intruder module, Payload “Positions” what are the each “attack type” for?

Burp Suite Pro, Intruder module, Payload “Positions” what are the each “attack type” for?

This is very common and widely ask question, in particular for new users had yet reading entire Burp Suite Pro documentation, or perform various manual testing cases yet.

Just for quick recall, it is inside “intruder module”, “payload positions” tab. Inside got the pull down menu for “attack type”.

Burp Intruder supports various attack types – these determine the way in which payloads are assigned to payload positions. The attack type can be selected using the drop-down above the request template editor. The following attack types are available:

  • Sniper – This uses a single set of payloads. It targets each payload position in turn, and places each payload into that position in turn. Positions that are not targeted for a given request are not affected – the position markers are removed and any enclosed text that appears between them in the template remains unchanged. This attack type is useful for fuzzing a number of request parameters individually for common vulnerabilities. The total number of requests generated in the attack is the product of the number of positions and the number of payloads in the payload set.
  • Battering ram – This uses a single set of payloads. It iterates through the payloads, and places the same payload into all of the defined payload positions at once. This attack type is useful where an attack requires the same input to be inserted in multiple places within the request (e.g. a username within a Cookie and a body parameter). The total number of requests generated in the attack is the number of payloads in the payload set.
  • Pitchfork – This uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 20). The attack iterates through all payload sets simultaneously, and places one payload into each defined position. In other words, the first request will place the first payload from payload set 1 into position 1 and the first payload from payload set 2 into position 2; the second request will place the second payload from payload set 1 into position 1 and the second payload from payload set 2 into position 2, etc. This attack type is useful where an attack requires different but related input to be inserted in multiple places within the request (e.g. a username in one parameter, and a known ID number corresponding to that username in another parameter). The total number of requests generated in the attack is the number of payloads in the smallest payload set.
  • Cluster bomb – This uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 20). The attack iterates through each payload set in turn, so that all permutations of payload combinations are tested. I.e., if there are two payload positions, the attack will place the first payload from payload set 2 into position 2, and iterate through all the payloads in payload set 1 in position 1; it will then place the second payload from payload set 2 into position 2, and iterate through all the payloads in payload set 1 in position 1. This attack type is useful where an attack requires different and unrelated or unknown input to be inserted in multiple places within the request (e.g. when guessing credentials, a username in one parameter, and a password in another parameter). The total number of requests generated in the attack is the product of the number of payloads in all defined payload sets – this may be extremely large.

Explain further on the cluster bomb, you can think for example of a user login form. We require two parameter one for username, one for password. For brute force attack, then require one dictionary for username x one dictionary for password, ie username A will test against all password, then move to second username and test against all password.

Here the visual answering for what cluster bomb is all about, testing each two parameter one by one (for example, username x password)