Burp Intruder supports various attack types. Often, a task is achievable with more than one type of attack, but choosing the right one can save you a great deal of effort when conducting manual security testing.
In this tutorial, you'll learn how to use a Cluster bomb attack within Burp Suite to brute-force username and password fields simultaneously.
The Cluster bomb attack type may not be suitable for users of Burp Suite Community Edition - which lacks the full speed version of full speed version of Burp Intruder found in Burp Suite Professional.
The Cluster bomb attack type uses multiple payload sets, with a different payload set assigned to each defined position. It is useful for testing every possible permutation when an attack requires multiple different input values to be inserted in multiple places.
When using a Cluster bomb attack, the number of requests generated increases exponentially with the number of payloads defined. This means that this attack type is mainly used to iterate through relatively small data sets.
In this tutorial for example, a list of 101 usernames and 100 passwords generates a 10,100 request attack (101 * 100 = 10,100).
While the following lab's original solution suggests using two separate Sniper attacks to solve the lab, in this example we will solve it by using a single Cluster Bomb attack. The Cluster Bomb attack's multiple payload sets enable you to test the username and password fields simultaneously.
Solving the lab using a Cluster Bomb attack is less efficient than using two Sniper attacks, as it results in more requests being sent. Unlike the Sniper method, however, the Cluster Bomb method does not rely on you being able to enumerate valid usernames.
Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.
Open Burp's browser, and use it to access the following URL:
https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responsesClick Access the lab and log in to your PortSwigger account if prompted.
In the lab, click the My account link to open the login page.
Enter some sample data into the Username and Password fields to help you identify them later. Click the Log in button.
In Burp Suite, go to the Proxy tab, and click the HTTP history sub tab. Now you can see a list of the HTTP requests made by Burp's browser since you opened Burp Suite.
Find a request made with the MethodPOST, for the URL/login and click it.
Right click on the request you just selected, and click Send to Intruder.
Click the Intruder tab. Note that the request has been sent to Burp Intruder and now has payload positions (demarcated by § symbols) inserted at three points.
To solve the lab, we only require payload positions for the username and password. Click Clear § to clear all positions.
Select the input data in the username field, and click Add § to mark it as a payload position.
Repeat this for the input data in the password field, so that both fields are marked.
From the Choose an attack type drop down, select Cluster bomb.
Click the Payloads tab. Note that Payload set is set to 1 and Payload type is set to Simple list.
Under Payload options [simple list], paste the list of candidate usernames into the box.
Change the Payload set to 2.
Under Payload options [Simple list], paste the list of candidate passwords into the box. Note that Request count has increased to 10,100.
Click the Start attack button.
Payload set defines the position into which a payload set is inserted. For example, if you have defined two payload positions within the request template, then payload set 1 is inserted into the first, and payload set 2 into the second.
Observe that Intruder creates requests combining each entry in payload set 1 with the first entry in payload set 2, before moving onto the next item in payload set 2 and repeating the process. It does this until it reaches the end of payload set 2.
Wait for your attack to finish running - this may take a few minutes, especially if you are using the throttled version of Burp Intruder that comes with Burp Suite Community Edition.
Click the header of the Status column to sort the list of responses by HTTP status code. Note that you may need to click this more than once.
Observe that where most requests have a 200 (OK) status code, one request has a code of 302 (Found). Make a note of the username and password used in this request - they are the correct login details to solve the lab. Note that this is unlikely to be the same combination shown in the screenshot below.
In the Proxy tab, ensure that Intercept is off.
In Burp's browser, return to the lab's Login page, and input the username and password you previously noted for the request with the 302 status code. Click Log in. This will solve the lab.
Congratulations - now you know how to configure a Cluster bomb attack in Burp Intruder to brute-force a simple login form more easily.
In practice, web applications often have robust countermeasures in place to thwart brute-forcing attempts. If you want to learn how to bypass some of these, then check out the Authentication topic in the Web Security Academy.