top of page

Fuzzing with Burp Intruder

Updated: Apr 7

Introduction

Fuzzing or "fuzz-testing" is the automated technique of sending mutated requests to an application to cause the application to crash or induce unexpected behavior and discover security vulnerabilities.


Burp Suite Intruder is a powerful tool for executing web application fuzzing and finding vulnerabilities that are hard to find using manual penetration testing and scanning.


Fuzzing Web server Scenarios

Fuzzing Scenarios


Identifying Fuzzable Inputs

While performing a penetration test, a standard reconnaissance method is to navigate through the application using Burp Proxy to identify what parameters the application uses, i.e., what headers, query, and body parameters the application use. What are the endpoints it connects to?


Once you've identified the parameters, determine which is suitable for fuzzing vulnerabilities such as XSS, SQL Injection, OS Command Injection, etc. Download a suitable wordlist such as SecLists https://github.com/danielmiessler/SecLists to use as payload in the Intruder.


Burp Suite Intruder

Burp Intruder is very effective in fuzzing web applications and automating vulnerability assessment during penetration testing. Using Burp Intruder, you can specify what type of payloads should be injected in a request, which requests parameters should be tested, and how many parameters to test simultaneously.


BurpSuite Intruder Main page

Burp Intruder


Burp Intruder Attack Types


Sniper

The sniper attack type uses a single payload list to fuzz one predefined parameter position leaving the rest of the parameters to their default value. Sniper is most efficient in fuzzing to find XSS, Command Injection, Directory Brute force, IDOR, and SQL injection.


Fuzzing for XSS

Target the XVWA(Xtreme Vulnerable Web Application) to fuzz for Reflected XSS. Download the vulnerable machine from here https://www.vulnhub.com/entry/xtreme-vulnerable-web-application-xvwa-1,209


XVWA home screen

Navigate to the URL vulnerable to XSS and capture the request in Burp Proxy.

Intercepting request in BurpSuite

Intercepting request in proxy and sending it to the Intruder.


Right-click on the request and select "Send to Intruder." Clear all payload markers, then insert a new marker around the parameter of your interest in fuzzing.

Setting Payload position in BurpSuite Intruder

Setting Markers in BurpSuite Intruder

Then select the payloads option and load the payload wordlist from SecLists.

Loading payloads for Intruder

Start the attack and analyze the response for reflected XSS payloads.

Monitoring attack in BurpSuite Intruder

Send the reflected payloads to the browser for manual testing and confirm that the payload triggers XSS and the cookie is successfully read.

Intercepted Request view in BurpSuite

XVWA XSS attack

XSS Analysis using Grep-Match

The Grep-Match in Burp Intruder is a powerful feature to analyze the results containing specified expressions. Navigate to the URL vulnerable to XSS and capture the request in Burp Proxy.

XSS reflected analysis in XVWA

XVWA request interception in burp

Right-click on the request and select "Send to Intruder."

Sending request to Interceptor in Burp

Clear all payload markers, then insert a new marker around the parameter of your interest in fuzzing.

Clearing Payload markers in Burp Intruder

Then select the payloads option and load the payload wordlist from SecLists or type in the payloads as shown below.

Setting payload in burpsuite intruder

Go to the Options tab and clear the default expressions under Grep-Match to include the XSS payload to match the intruder results.

Options pane in burpsuite intruder

Start the attack and once the attack is completed, analyze the results and observe the Grep-Match expressions columns. Select the request and analyze the response to identify if the payload is successfully reflected, an indicator of a successful XSS attack.

Attack monitor screen in Burp intruder

Fuzzing for SQL injection

Target the OWASP Juice Shop login page to fuzz for SQL Injection. Download and Configure Juice Shop from here https://sourceforge.net/projects/juice-shop

OWASP Juice Shop login screen

Capture the login request in the Burp Proxy and send it to the Intruder.

Intercepting OWASP JuiceShop login request

Clear the payload positions and mark the email parameter for SQL Injection tests.

Clearing default markers for juice Shop login request

Load the SQL Injection payloads from Seclists.

Loading SQL payloads in Intruder

Start the attack and analyze the response.

Attacking and analyzing payloads in Burpsuite Intruder

In the results, examine the response with high length in bytes to identify the possible successful SQL Injection attack. Send that request through the browser for manual testing and confirm that the payload causes SQL Injection and login is successful.

Result of Intruder attack execution

OWASP Juice Shop logged in screen

Battering ram

The Battering ram attack type places the same payload value in all positions and uses only one payload set. It loops through the payload set and replaces all marked positions with payload values.


Bruteforce Attack

The target selected for the Bruteforce attack is Acunetix Acuform http://testasp.vulnweb.com/ application. We are going to perform a password brute force on the login page.

Acunetix Acuform target application home screen

Capture the acuform login page request in Burp Proxy and send it to the Intruder.

Intercepting Acunetix Acuform request

Select the attack type as Battering ram and clear all the markers. Add the marker around the Password parameter value.

Selecting Attack Type in BurpSuite Intruder

Load the password wordlist from Seclists as payloads for brute-forcing passwords.

Loading password wordlist from seclist in burpsuite

Start the attack and analyze the results. Examine the length column and Status column to notice for successful login. Send that request through the browser for manual testing and confirm the login is successful.

Running attack on Acunetix Acuform

Loggedin session on Acunetix Acuform

Pitchfork

The pitchfork attack type uses one payload set for each position and the first payload in the first and second payload in the second positions. This attack type is proper if you have data items that belong together, for example, username and password combination, where you load the usernames in the 1st payload set and the corresponding passwords in the second payload set. Pitchfork sends the combination of each username/password in the fuzzing request.


Bruteforce Attack

The target selected for the Bruteforce attack is Acunetix Acuform http://testasp.vulnweb.com/ application. We are going to perform a password brute force on the login page.

BruteForce attack on Acunetix Acuform

Capture the acuform login page request in Burp Proxy and send it to the Intruder.

Intercepting request for Bruteforcing

Select the attack type as Pitchfork and clear all the markers. Add the markers around the Username and Password parameter values.

Attack type selection as pitchfork in BurpSuite Intruder

Load the username and password wordlists from Seclists as payloads for brute-forcing.

Loading payloads

Start the attack and analyze the response for the correct username and password combination.

Running attack analysis in burp

Examine the length column and Status column to notice for successful login. Send that request through the browser for manual testing and confirm the login is successful.

Examining successful results of fuzzing

Succesfull logged in Session as a result of fuzzing

Clusterbomb

The cluster bomb attack type uses a different combination of payloads, putting 1st payload in the first position and the 2nd payload in the second position. But when it loops through the payload sets, it tries all combinations. For example, if you have 50 usernames and 50 passwords, this attack will perform 2,500 requests.


Bruteforce Attack

Target the XVWA(Xtreme Vulnerable Web Application) to fuzz for brute force attack. We are going to perform a password brute force on the login page. Capture the request in Burp Proxy and send it to Intruder.


Select the attack type as Clusterbomb and clear all the markers. Add the markers around the Username and Password parameter values.

Selecting Cluster bomb mode in Burpsuite UI

Load the username and password wordlists from Seclists as payloads for brute-forcing.

Loading Payload for fuzzing

Start the attack, analyze the response for the correct username and password combination, and examine the length and status columns to notice for successful login. Send that request through the browser for manual testing and confirm the login is successful.

XVWA logged in screen

Payloads


 

Register for instructor-led courses today!



1,573 views

Recent Posts

See All

Σχόλια


bottom of page