Burp Intruder makes it possible to automate attacks against more than one target host. In this tutorial, we demonstrate how you can use this feature to discover additional attack surface by enumerating valid subdomains of a given target.
This technique can be repurposed in many ways (e.g. for automating a single attack against multiple sites), but is particularly useful when performing reconnaissance.
Multi-host Intruder attacks were introduced into Burp Suite in version 2021.12. You may need to update Burp Suite to the latest version to access these features.
In this tutorial, you'll learn how to:
For the purpose of this tutorial, pretend that we have been given a web application to perform security testing on. Any content we discover within this application is considered "in scope" (i.e. a valid target) for testing. As part of our reconnaissance phase, we therefore search for subdomains to perform testing on, using Burp Intruder.
Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.
Open Burp's browser and access the following URL:
http://portswigger-labs.net/
In Burp Suite, go to the Proxy tab, and click the HTTP history sub tab. Here you can see a list of the HTTP requests made by Burp's browser since you opened Burp Suite.
Right click the request you just made to http://portswigger-labs.net/, and click Send to Intruder.
Open the Intruder tab, where your request is now displayed.
In the Target field, add a placeholder subdomain.
Select the placeholder subdomain and click the Add ยง button to mark it as a payload position.
In this tutorial, we are using a single insertion point with a Sniper attack type to cause Intruder to cycle through a list of potential subdomain names. Note that "Sniper" is selected under Choose an attack type. Note also that some other Intruder attack types can use two or more insertion points.
For the purpose of this tutorial, we are using a list of payloads that comes with Burp Suite Professional. Bear in mind that experienced testers often curate their own lists for use in such situations.
The Add from list ... feature is exclusive to Burp Suite Professional. If you wish to follow this tutorial using Burp Suite Community Edition, read Step 5 to find an interesting directory name - then add this name to the payload options field as shown in Step 4.
In the Intruder tab, click the Payloads sub-tab.
Under Payload Options [Simple list], click the Add from list ... drop down. Select "Directories - short". This populates the payload options field with a list of 362 potential directory names.
Click the Start attack button and wait for your attack to finish running - this may take a moment.
Click the header of the Length column to sort the list of responses by length. Observe that where most requests have a length of 2937, the request where the subdomain staff has been used has a length of 353. This indicates that the response to this request contains different content than the others in the list. Select the interesting request.
Click Response to view the response associated with the request. This shows you that the URL points to a login form of some kind.
Open Burp's browser and access the URL you enumerated:
http://staff.portswigger-labs.net/Observe that a login form is rendered.
It appears that we have discovered a hidden subdomain which has login functionality. This could be of great interest to a security tester.
Congratulations - now you know how to use Burp Intruder to enumerate subdomains for a host. This methodology can open up more attack surface for you to test - which can increase your chances of successfully compromising a test application.
For information on how you could use Burp Intruder to brute-force a login form like the one we found here, see the Authentication topic in the Web Security Academy - or check out our tutorial on brute-forcing login mechanisms with Burp Intruder.