Introduction
After running an attack in Burp Intruder, the next crucial step is to analyze the results to identify potential vulnerabilities. The results table provides a wealth of information, but knowing how to sort, filter, and inspect it efficiently is key to finding security flaws.
In this lab, you will learn the fundamental techniques for analyzing a completed Intruder attack. To focus solely on the analysis workflow, we will use a pre-loaded Burp Suite project file that already contains attack results. You will learn how to launch Burp Suite, open the project, and use the built-in tools to examine the results.
View the Results Table of a Completed Intruder Attack
In this step, you will launch Burp Suite and open an existing project to view the results of a pre-run attack. This is the starting point for any analysis.
First, open a terminal from the desktop application menu.
Now, launch Burp Suite Community Edition by running the following command in the terminal. This may take a moment to load.
burpsuite
A startup dialog will appear. Since we are using a pre-configured project, select Open an existing project and click Next.
In the file selection window, navigate to the /home/labex/project directory. You will see a file named burp-intruder-results.bpr. Select this file and click Open.
Click Start Burp on the final dialog screen.
Once Burp Suite has loaded, navigate to the Intruder tab. You will see that an attack has already been run, and the Results sub-tab is populated with data. Take a moment to look at the columns available, such as Request, Payload, Status, and Length.
Sort the Results by 'Status' Code
In this step, you will learn how to sort the attack results by the HTTP status code. Sorting is a quick way to group similar responses and spot outliers. Different status codes can indicate different application behaviors, which is useful for analysis.
In the Intruder > Results tab, locate the column header named Status.
Click on the Status column header. The table will sort all the results based on the HTTP status code in ascending order. Clicking the header again will sort it in descending order.
Sort the table so that you can see if there are any status codes other than 200 OK. For example, a 302 Found might indicate a successful login redirect, while a 403 Forbidden or 500 Internal Server Error could also be interesting and warrant further investigation. Grouping these codes together makes them easy to find.
Sort the Results by 'Length' to Find Anomalies
In this step, you will sort the results by the response length to identify anomalies. In many types of attacks, such as password guessing or content discovery, a successful attempt often results in a response with a different length than unsuccessful ones.
In the Intruder > Results tab, locate the column header named Length.
Click on the Length column header to sort the results. Observe the values. You will likely see a large number of responses with the exact same length. These usually represent the baseline "failed" or "default" response from the server.
Click the Length header again to sort in the opposite direction. Any response with a significantly different length—either much longer or much shorter—is an anomaly that deserves closer inspection. This is one of the most effective ways to find interesting results in a large dataset.
Click a Result to View the Full Request and Response
In this step, you will select an interesting result from the table to view the full HTTP request and response. After identifying a potential anomaly by sorting, you need to examine the raw traffic to understand what happened.
First, identify an interesting row in the results table. This could be a row with a unique status code or a response length that stands out from the rest.
Click on that single row to select it.
Once a row is selected, look at the panes below the results table. You will see a set of tabs for the Request and Response.
- Click the Request tab to see the exact HTTP request that Burp sent to the server. You can see the payload that was injected for that specific request.
- Click the Response tab to see the server's full response.
By switching between the request and response, you can analyze why a particular payload resulted in an anomalous response. For example, a different response length might be due to an error message or a successful login message appearing in the response body.
Use the 'Filter' Bar to Hide Uninteresting Results
In this step, you will use the filter bar to hide uninteresting results. When an attack generates thousands of results, manually sorting and scrolling is inefficient. The filter is a powerful tool for narrowing the view to only what matters.
Just above the results table, you will find the Filter bar. This feature allows you to show or hide results based on various criteria.
Let's try a practical example. After sorting by length, you probably noticed a very common response length for failed attempts. Let's say this length is 4850.
- Type
4850into the text box for the filter. - Check the Hide radio button.
- The results table will now hide all responses with a length of
4850, making it much easier to see the few anomalous results that remain.
You can also filter by other attributes, such as status code or search terms in the response. To clear a filter, simply delete the text from the input box. Experiment with the filter to see how it can help you focus your analysis.
Summary
In this lab, you learned the fundamental techniques for analyzing attack results in Burp Intruder. These skills are essential for efficiently finding vulnerabilities from automated attacks.
You started by opening a pre-existing Burp project and navigating to the Intruder results table. You then practiced sorting the results by both HTTP status code and response length to quickly identify anomalies. Next, you learned how to inspect the full request and response of any given result to understand the server's behavior. Finally, you used the powerful filter feature to hide noise and focus on the most interesting results.
Mastering this analysis workflow will significantly speed up your ability to process the output of automated tools and pinpoint security flaws.