LabEx
Log InJoin Free

Use the Cluster Bomb Attack in Burp Intruder

Beginner
Practice Now

Introduction

Burp Intruder is a powerful tool within Burp Suite for automating customized attacks against web applications. It is highly configurable and can be used to perform a wide range of tasks, from simple brute-force guessing to complex vulnerability scanning.

One of the key features of Intruder is its different attack types. The "Cluster Bomb" attack type is particularly useful when an attack requires testing multiple, distinct inputs in combination. It uses multiple payload sets, one for each defined position, and iterates through every possible combination of payloads. This is ideal for scenarios like brute-forcing a login form where you have a list of potential usernames and a separate list of potential passwords.

In this lab, you will learn how to configure and execute a Cluster Bomb attack using Burp Intruder to discover a valid username and password combination on a sample login page.

Send a Login Request to Intruder

In this step, you will launch Burp Suite and a web browser, then capture a login request and send it to Burp Intruder for further analysis.

First, you need to start Burp Suite.

  1. Click on the Application menu in the top-left corner of the desktop.
  2. Navigate to Other -> Burp Suite Community Edition.

Burp Suite will start. Select "Temporary project" and click "Next", then click "Start Burp".

Next, open the Firefox web browser and configure it to use Burp Suite as a proxy.

  1. Click on the Application menu -> Internet -> Firefox Web Browser.
  2. In Firefox, go to Settings -> General -> Network Settings and click Settings....
  3. Select Manual proxy configuration.
  4. Set HTTP Proxy to 127.0.0.1 and Port to 8080.
  5. Check the box Also use this proxy for HTTPS.
  6. Click OK.

Now, navigate to the target login page. In the Firefox address bar, enter:

http://127.0.0.1:5000/login

You should see a simple login form. In Burp Suite, go to the Proxy tab, then the Intercept sub-tab, and make sure interception is on (the button should say "Intercept is on").

Back in Firefox, enter test for the username and test for the password, and click the Login button. The request will be caught in Burp's Proxy -> Intercept tab.

Now, send this captured request to Intruder.

  1. Right-click anywhere in the request panel.
  2. Select Send to Intruder from the context menu.
  3. You will see the Intruder tab highlight, indicating the request has been sent.

You can now turn off interception by clicking the "Intercept is on" button in the Proxy -> Intercept tab.

Add Payload Markers to Username and Password Fields

In this step, you will configure the payload positions in Burp Intruder. Payload positions tell Intruder where to place the payloads during the attack. For a Cluster Bomb attack on a login form, we need two positions: one for the username and one for the password.

Navigate to the Intruder tab in Burp Suite. You will see four sub-tabs: Target, Positions, Payloads, and Options. Click on the Positions tab.

The request you sent from the Proxy is displayed here. Burp Intruder automatically tries to guess where payloads should go and adds payload markers (§...§). We will clear these and set our own for better control.

  1. Click the Clear § button on the right side of the window. This removes all automatically-added payload markers.
  2. In the request editor, find the line with the username parameter: username=test.
  3. Carefully highlight just the value test.
  4. Click the Add § button. The line should now look like username=§test§.
  5. Next, find the line with the password parameter: password=test.
  6. Highlight just the value test.
  7. Click the Add § button again. The line should now look like password=§test§.

You have now defined two payload positions. Burp Intruder will substitute data into these marked locations during the attack.

Set the Attack Type to 'Cluster Bomb'

In this step, you will select the appropriate attack type for our goal. Burp Intruder offers four attack types, each serving a different purpose:

  • Sniper: Uses a single payload set and targets one position at a time.
  • Battering Ram: Uses a single payload set and places the same payload in all positions simultaneously.
  • Pitchfork: Uses multiple payload sets, placing one payload from each set into the corresponding position.
  • Cluster Bomb: Uses multiple payload sets and tries every combination of payloads.

For our scenario, we want to test every possible password from a list against every possible username from another list. The Cluster Bomb attack type is perfect for this.

In the Intruder -> Positions tab, locate the Attack type dropdown menu at the top of the screen.

  1. Click on the dropdown menu.
  2. Select Cluster Bomb from the list.

Notice that after selecting Cluster Bomb, the Payloads tab now allows you to configure multiple payload sets, corresponding to the number of payload markers you defined in the previous step. In our case, we will have two payload sets to configure.

Configure Two Payload Lists (Usernames and Passwords)

In this step, you will provide the lists of potential usernames and passwords that Intruder will use for the attack.

Navigate to the Intruder -> Payloads tab.

Since you selected the Cluster Bomb attack type and defined two payload positions, you can now configure two separate payload lists.

First, configure the username list (Payload set 1):

  1. Ensure the Payload set dropdown is set to 1. This corresponds to the first § marker you added (the username).
  2. Under Payload Options, click the Add button.
  3. Enter the following potential usernames, one per line:
    • user
    • guest
    • admin
    • root

Next, configure the password list (Payload set 2):

  1. Change the Payload set dropdown from 1 to 2. This corresponds to the second § marker (the password).
  2. Under Payload Options, click the Add button.
  3. Enter the following potential passwords, one per line:
    • password
    • 123456
    • qwerty
    • password123

You have now configured Intruder to test every combination of these two lists. It will make a total of 4 (usernames) x 4 (passwords) = 16 requests.

Run the Attack to Test Every Combination of Payloads

In this step, you will launch the attack and analyze the results to find the correct login credentials.

  1. In the top-right corner of the Intruder tab, click the Start attack button.
  2. A new window titled "Intruder attack" will open, and the attack will begin immediately.

This new window displays a results table. You will see requests being sent, and the table will populate with the results. The key columns to watch are:

  • Payload 1: The username used for that request.
  • Payload 2: The password used for that request.
  • Status: The HTTP status code of the response (e.g., 200 for OK, 401 for Unauthorized).
  • Length: The size of the response body in bytes.

A successful login will likely result in a different response from an unsuccessful one. This difference can be seen in the Status code or the Length.

Look through the results. You should notice that one request has a different Length and Status compared to the others. Most attempts will result in a 401 Unauthorized status, but the correct one will be 200 OK. The response Length for the successful login will also be different.

To easily find the unique response, you can click on the Status or Length column headers to sort the results.

The successful request will have the payload combination:

  • Payload 1: admin
  • Payload 2: password123

You can click on this successful request in the table to view the full Request and Response in the panels below. The response for the successful login will contain the text "Login Successful!".

Congratulations, you have successfully used a Cluster Bomb attack to find valid credentials!

Summary

In this lab, you have learned how to perform a Cluster Bomb attack using Burp Intruder.

You started by intercepting a login request using Burp's proxy and sending it to Intruder. You then manually configured two distinct payload positions for the username and password fields. After selecting the Cluster Bomb attack type, you configured two separate payload lists—one for usernames and one for passwords.

Finally, you launched the attack and analyzed the results table, identifying the successful login combination by looking for an anomalous response status code and length. This hands-on exercise demonstrates the power and utility of the Cluster Bomb attack type for testing authentication mechanisms with multiple inputs.