LabEx
Log InJoin Free

Perform a Sniper Attack in Burp Intruder

Beginner
Practice Now

Introduction

In this lab, you will learn how to perform a "Sniper" attack, one of the most fundamental and commonly used attack types in Burp Suite's Intruder tool. Burp Intruder is a powerful tool for automating customized attacks against web applications to identify and exploit security vulnerabilities.

The Sniper attack is designed to iterate through a list of payloads, inserting them one by one into a single, specified position within an HTTP request. This makes it ideal for tasks like guessing usernames, finding password reset tokens, or fuzzing a single parameter for vulnerabilities.

We will walk through the process of sending a request to Intruder, configuring the payload position, selecting the Sniper attack type, loading a simple payload list, and finally, launching the attack and analyzing the results. For this lab, Burp Suite is already installed in the environment.

In Intruder > Positions, Select a Parameter Value and Click 'Add §'

In this step, you will define the target for your attack. After sending a request to Intruder, you need to specify exactly where the payloads should be inserted.

First, you need to have a request to work with. For the purpose of this lab, we will assume you have already intercepted a login request in the Burp Proxy and sent it to Intruder (by right-clicking the request and choosing "Send to Intruder"). The request in Intruder might look like this:

POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

username=myuser&password=mypass

By default, Burp Intruder automatically adds payload markers (§) around what it thinks are interesting parts of the request. To gain precise control, it's best to clear these and set your own.

  1. Navigate to the Intruder > Positions tab.
  2. Click the Clear § button on the right side to remove all automatically-added payload markers.
  3. In the request editor, use your mouse to highlight only the value of the username parameter (in this case, myuser).
  4. With the value highlighted, click the Add § button.

Your request should now look like this, with only the username value marked as a payload position:

POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

username=§myuser§&password=mypass

This tells Intruder to only insert payloads in place of myuser, leaving the rest of the request unchanged for each attempt.

Set the Attack Type to 'Sniper'

In this step, you will select the appropriate attack type for your objective. Burp Intruder offers four different attack types, each serving a different purpose. For this lab, we will use Sniper.

Here is a brief overview of the attack types:

  • Sniper: Uses a single payload set. It targets each payload position (§...§) one by one. For each position, it iterates through every payload in the list. This is the most common type for fuzzing a single parameter.
  • Battering ram: Uses a single payload set. It inserts the same payload into all defined payload positions simultaneously.
  • Pitchfork: Uses multiple payload sets. For each request, it takes one payload from each set and places them into their corresponding positions.
  • Cluster bomb: Uses multiple payload sets. It tests every possible combination of payloads from all sets.

Since our goal is to test a list of different usernames in a single parameter, Sniper is the perfect choice.

To set the attack type:

  1. Stay in the Intruder > Positions tab.
  2. Locate the Attack type dropdown menu at the top of the screen.
  3. Click the dropdown and select Sniper from the list.

You have now configured Intruder to use the Sniper attack method.

Navigate to the Intruder > Payloads Tab

In this step, you will move to the section where you define the actual data that will be used in the attack. Now that you have configured the target position (username) and the attack type (Sniper), the next logical step is to provide the list of payloads.

The payloads are the values that Intruder will substitute into the §...§ position you defined in Step 1.

To proceed, simply navigate to the Payloads sub-tab within the Intruder tool. You will find it located right next to the Positions tab you were just working in. Clicking on this tab will take you to the payload configuration screen, where you will set up your list of potential usernames in the next step.

Load a Simple List of Payloads (e.g., admin, test, user)

In this step, you will configure the list of payloads for the attack. Since our attack type is Sniper and we have one payload position, we only need to configure one payload set.

In the Intruder > Payloads tab, you will see sections for Payload Sets and Payload Options.

  1. Under the Payload Sets section, ensure Payload set is set to 1 and Payload type is set to Simple list. This is the default and is used for providing a straightforward list of strings.
  2. Under the Payload Options [Simple list] section, you will add your payloads. You can do this by typing directly into the text box or by using the Add button.

Let's add a few common usernames to test: In the text area, type the following values, each on a new line:

admin
test
user
root
guest

Your Payload Options section should now contain this list. Intruder will send one request for each line in this list, substituting the value into the username parameter you marked earlier. The Payload Count at the bottom should now show 5.

Start the Attack and Observe the Results Table

In this step, you will launch the configured attack and analyze the outcome. With the position, attack type, and payloads all set, you are ready to begin.

  1. To start the attack, click the Start attack button located in the top-right corner of the Intruder tab.
  2. A new "Attack" window will open, displaying a results table. This window will populate in real-time as Intruder sends each request.

The results table is the most important part of the process. Pay close attention to the columns, especially:

  • Payload: The specific payload used for that request (e.g., admin, test).
  • Status: The HTTP status code of the response (e.g., 200, 302, 401).
  • Length: The size of the response body in bytes.

To find potential vulnerabilities or valid usernames, look for anomalies. For example, a successful login might result in a 302 Found status (redirecting to a dashboard), while all failed attempts result in a 200 OK (re-displaying the login page). Similarly, a response for a valid username might have a different Length than the others because the error message changes (e.g., "Incorrect password" vs. "User not found").

By sorting the table by the Status or Length columns, you can easily spot any responses that are different from the baseline, indicating a potential finding.

Summary

In this lab, you successfully performed a basic Sniper attack using Burp Intruder. This is a fundamental skill for any web application security tester.

You learned how to:

  • Isolate a specific request parameter for testing in the Positions tab by clearing default markers and adding your own.
  • Set the attack type to Sniper, which is ideal for testing a single parameter with a list of payloads.
  • Navigate to the Payloads tab and load a simple, custom list of potential inputs.
  • Launch the attack and analyze the results table, looking for anomalies in the HTTP status codes and response lengths to identify interesting behavior.

Mastering the Sniper attack in Burp Intruder provides a powerful method for automating repetitive testing tasks like username enumeration, password guessing, and fuzzing for common vulnerabilities.