LabEx
Log InJoin Free

Use the Battering Ram Attack in Burp Intruder

Beginner
Practice Now

Introduction

In this lab, you will explore one of Burp Suite Intruder's attack types: the Battering Ram. Burp Intruder is a powerful tool for automating customized attacks against web applications. The Battering Ram attack type is specifically designed for situations where the same payload needs to be inserted into multiple positions within an HTTP request.

A common use case for this attack is testing login forms for weak credentials where the username and password might be identical (e.g., admin/admin). Throughout this lab, you will learn how to capture a login request, configure payload markers, select the Battering Ram attack type, set up a payload list, and finally, launch the attack to analyze the results.

By the end of this lab, you will have a practical understanding of how and when to use the Battering Ram attack in your web application security testing workflow.

Send a Login Request to Intruder

In this step, you will launch the necessary tools and capture a sample login request to send to Burp Intruder for attack configuration.

First, open a terminal to launch Burp Suite. You can typically find it in the application menu or launch it from the command line. For this lab, we will assume it's ready to be launched.

Next, open the Firefox web browser provided in the lab environment.

Now, let's configure Burp Suite to intercept web traffic.

  1. In Burp Suite, go to the Proxy tab, and then the Intercept sub-tab. Make sure interception is turned on (the button should say "Intercept is on").
  2. In Firefox, configure the browser to use Burp's proxy. Go to Settings -> Network Settings and set the Manual proxy configuration to use 127.0.0.1 as the HTTP Proxy and 8080 as the Port.
  3. In the Firefox address bar, navigate to the login page of our test application: http://127.0.0.1:5000/login.
  4. Enter test for the username and test for the password, then click the "Login" button.

The request will be captured in Burp Suite's Proxy -> Intercept tab. The screen will show the raw HTTP request.

Finally, send this captured request to Intruder. Right-click anywhere in the request window and select Send to Intruder from the context menu. You can also use the keyboard shortcut Ctrl+I.

You can now go to the Intruder tab, where you will see the request loaded and ready for configuration.

In Positions, Add Payload Markers to Both Username and Password Fields

In this step, you will define the positions in the HTTP request where Burp Intruder should place its payloads. For a Battering Ram attack, we will mark both the username and password fields.

Navigate to the Intruder tab and then to the Positions sub-tab. You will see the request you sent from the Proxy tab. Burp Suite automatically adds payload markers (highlighted with § symbols) to what it thinks are interesting parts of the request.

For this specific attack, we want to control the payload positions precisely.

  1. First, click the Clear § button on the right-hand side. This will remove all automatically-generated payload markers.
  2. Now, locate the line in the request body that contains the username and password, which should look like username=test&password=test.
  3. Highlight the value test for the username parameter with your mouse.
  4. Click the Add § button. The line should now look like username=§test§&password=test.
  5. Next, highlight the value test for the password parameter.
  6. Click the Add § button again.

After completing these steps, your request body should have payload markers around both the username and password values, like this:

username=§test§&password=§test§

This configuration tells Intruder to insert payloads into these two specific locations.

Set the Attack Type to 'Battering Ram'

In this step, you will select the appropriate attack type for our scenario. Burp Intruder offers four different attack types, each serving a unique purpose.

  • Sniper: Uses a single payload set, targeting one position at a time.
  • Battering ram: Uses a single payload set, placing the same payload in all marked positions simultaneously.
  • Pitchfork: Uses multiple payload sets, placing one payload from each set into corresponding positions.
  • Cluster bomb: Uses multiple payload sets, testing every possible combination of payloads.

For our goal of testing if the username and password are the same, the Battering ram attack is the perfect choice. It will take a single list of potential credentials and try each one for both the username and the password in the same request.

In the Intruder -> Positions tab, locate the Attack type dropdown menu at the top of the screen. By default, it is set to "Sniper". Click on the dropdown menu and select Battering ram.

Once selected, Burp Intruder is now configured to use the Battering Ram attack logic.

Configure a Simple Payload List (e.g., test, guest)

In this step, you will provide the list of payloads that Intruder will use for the attack. Since we are using the Battering Ram attack type, we only need to configure one payload set.

  1. Navigate to the Intruder -> Payloads tab.
  2. The "Payload Sets" section should show "Payload set: 1" and "Payload type: Simple list". This is the default and is correct for our needs.
  3. In the "Payload Options" section below, there is a text box for adding your payloads. You can add payloads one by one by typing them in and clicking the Add button, or you can paste a list directly into the box.

For this lab, let's add a few common default or weak credentials. Clear any existing payloads in the list and add the following:

  • test
  • guest
  • admin
  • password
  • user

Your "Payload Options" list should now look like this:

test
guest
admin
password
user

With this configuration, Intruder will iterate through this list. For each item, it will place that value into both the username and password fields that we marked in Step 2.

Run the Attack and Analyze How the Same Payload is Used in Both Positions

In this final step, you will launch the attack and analyze the results to understand how the Battering Ram attack works.

  1. Ensure all your configurations in the Positions and Payloads tabs are correct.
  2. In the top-right corner of the Intruder window, click the Start attack button.

A new "Intruder attack" window will open, and the attack will begin immediately. You will see a results table that populates as each request is sent.

Let's analyze the results:

  • Results Table: Notice the columns for "Payload", "Status", and "Length". The "Payload" column shows the value used from your payload list for that specific request.
  • Request/Response Tabs: Click on any row in the results table (e.g., the row with the payload guest). At the bottom of the window, you can inspect the Request and Response for that attempt.
    • In the Request tab, you will see that the payload guest was inserted into both the username and password parameters: username=guest&password=guest. This confirms the Battering Ram behavior.
    • In the Response tab, you can see the server's reply.

Look for anomalies in the results. A successful login will likely have a different status code or response length. In our case, the test payload should result in a successful login. You can identify it by looking for the "Login successful!" message in the response body or by sorting the results by "Length" to see which response is different.

This analysis demonstrates how the Battering Ram attack efficiently tests for cases where a single input is used in multiple parameters, a common scenario in credential testing.

Summary

In this lab, you have successfully configured and executed a Battering Ram attack using Burp Suite Intruder.

You learned how to:

  • Capture an HTTP request using Burp Proxy and send it to Intruder.
  • Clear default payload markers and precisely define custom payload positions.
  • Select the Battering Ram attack type, understanding its specific use case.
  • Configure a simple payload list for the attack.
  • Launch the attack and analyze the results to confirm that the same payload was used in all specified positions for each request.

The Battering Ram is a valuable tool in a penetration tester's arsenal, especially for testing login forms and other functions where a single piece of data might be used as multiple parameters. Mastering this technique will improve the efficiency and effectiveness of your web application security assessments.