LabEx
Log InJoin Free

Send a Request to Intruder in Burp Suite

Beginner
Practice Now

Introduction

Burp Suite Intruder is a powerful tool for automating customized attacks against web applications. It is extremely flexible and can be used to perform a wide range of tasks, from simple fuzzing to complex enumeration.

The first and most fundamental step in using Intruder is to select a request and send it to the tool for configuration. In this lab, you will learn how to capture a request containing parameters using the Burp Proxy and then send it to the Intruder tool. This is a foundational skill for performing any type of attack with Intruder.

Find a Request with Parameters in the Proxy History

In this step, you will generate web traffic by submitting a login form and then locate the resulting request in Burp Suite's Proxy history. This captured request will be the one we work with.

First, let's generate the request.

  1. Open the Web Browser application from the desktop or application menu.
  2. In the browser's address bar, navigate to http://127.0.0.1:8000. You should see a simple login page.
  3. The form is pre-filled with testuser and testpass. Click the Submit button.
  4. The browser will show "Invalid Credentials," which is expected. The important part is that we have now sent a POST request with parameters.

Now, let's find this request in Burp Suite.

  1. Switch to the Burp Suite window.
  2. Click on the Proxy tab.
  3. Within the Proxy tab, click on the HTTP history sub-tab.
  4. You will see a list of all the requests your browser has made through Burp. Look for the request that shows POST in the "Method" column and /login in the "URL" column. Click on it to select it.

Once you select the request, you can see its full content in the panels below, including the username and password parameters we submitted.

Right-Click the Request and Select 'Send to Intruder'

In this step, you will send the captured POST /login request from the Proxy history to the Intruder tool. This action copies the request to Intruder, where you can then configure an attack.

  1. Ensure the POST /login request is still highlighted in the Proxy > HTTP history table.
  2. Right-click anywhere on that request's line to open the context menu.
  3. In the context menu, move your mouse down the list of options and click on Send to Intruder.

Alternatively, you can select the request and use the keyboard shortcut Ctrl+I.

After you click "Send to Intruder", you won't see an immediate change in the Proxy tab, but the main Intruder tab at the top of the window will turn orange, indicating that it has received a new request and is ready for your attention.

Navigate to the Intruder > Positions Tab

In this step, you will navigate to the Intruder tool to view the request you just sent. The Positions tab is the default view where you define which parts of the request will be modified during an attack.

  1. Look at the main tabs at the top of the Burp Suite window. You should see that the Intruder tab is now highlighted (typically in orange).
  2. Click on the Intruder tab to switch to the Intruder tool.

By default, you will be taken to the Positions sub-tab. This screen is divided into two main parts: the target information at the top (Host and Port) and the request editor below, which shows the request you sent from the Proxy. This is where you will configure the attack parameters.

Observe the Automatically Identified Payload Positions

In this step, you will examine how Burp Suite automatically identifies potential payload positions in the request. These positions are the locations where Intruder will insert payloads during an attack.

When a request is sent to Intruder, Burp Suite automatically analyzes it and guesses which parts you might want to attack. It marks these parts as "payload positions".

In the Intruder > Positions tab, look at the request editor. You will see that the values of the username and password parameters are highlighted and surrounded by a special symbol: §.

The request body will look similar to this:

username=§testuser§&password=§testpass§

Each pair of §...§ symbols defines a single payload position. Burp has automatically created two positions here, one for the username and one for the password. On the right side of the screen, you can see the "Attack type" is set to Sniper by default, which would iterate through payloads for one position at a time.

This auto-detection is a convenient starting point, but for many attacks, you will want to define the positions manually.

Clear Default Positions Using the 'Clear §' Button

In this step, you will learn how to clear the automatically-defined payload positions. This is a crucial step when you want to set up a more targeted attack, such as testing only the password field instead of all parameters.

To the right of the request editor, there is a set of buttons: Add §, Clear §, Auto §, and Refresh.

  1. Locate the Clear § button.
  2. Click the Clear § button.

After clicking it, you will see that all the highlights and the § symbols have been removed from the request editor. The request body now looks clean, like this:

username=testuser&password=testpass

The request is now ready for you to manually select a specific part of the request (like just the value testpass) and use the Add § button to define your own custom payload position. This gives you full control over the attack.

Summary

In this lab, you have successfully learned the essential first steps for using Burp Suite Intruder.

You started by generating traffic with a web browser and locating a specific POST request in the Proxy history. You then learned how to send this request to the Intruder tool. Finally, you observed how Burp Intruder automatically marks payload positions and how to clear these defaults to prepare for a custom attack configuration.

Mastering this workflow is fundamental to leveraging the power of Burp Intruder for web application security testing.