Burpsuite - Intruder Attack Types - Power of Payloads with Burp

Burp Suite is a graphical tool and integrated platform for performing web application security testing. Its numerous tools work in unison to assist the full testing process, from mapping and analyzing an application's attack surface to detecting and exploiting security vulnerabilities.

Burp Intruder supports a number of attack methods, which influence how payloads are assigned to payload places. Select the attack type from the drop-down menu above the request template editor. There are four attack kinds to choose from:


  • The default attack-type and uses a single set of payloads.
  • In this mode, Burp will iterate through each input that is between the markers, and the elements of the payload list get injected individually one at a time.
  • If there are more than 1 inputs the sniper will do the injection (total no. of inputs * number of elements in a list) times.


  • In this mode, Burp can work with several payload sets where The attack iterates through all payload sets simultaneously
  • For example, if we have 2 input fields (username and password) we can try to bypass the authentication with username and password pairs. The first payload will contain the usernames and the second will contain the matching passwords for each username. Every username has a pair in the password payload.
  • The total number of requests generated in the attack is the number of payloads in the smallest payload set.

Battering Ram

  • Battering ram uses a single set of payloads and injects the same element into each input field given simultaneously. It serves excellent to use when we want to test the same input in multiple places, for example, to check if someone gave their own username as their password.
  • The total number of requests is the number of payloads in the payload set.

Cluster Bomb

  • This attack type uses multiple payload sets and tests the inputs for every combination. The first input field uses the elements of the first payload and the second input uses the second payload and so forth. 
  • The inputs test for all possible combinations of usernames and passwords. 
  • The total number of products could get extremely large. Elements of payloads are multiplied for every payload set.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment