Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Generating Customised Intruder Attacks from an Extension

Daniel May 05, 2018 06:37PM UTC


I'm trying to create a burp extension which generates customised intruder attacks. I'm aware that I can create attacks with some level of control (,%20int,%20boolean,%20byte[],%20java.util.List) ), however, is there any way to set options such as the attack type, number of threads, payloads, etc. ?

Apologies if I've missed something obvious.

Paul Johnston May 08, 2018 07:45AM UTC Support Center agent

Hi Daniel,

Thanks for your message. Unfortunately it is not possible for extensions to customize attack options. We may add this capability in the future, but we’ve not prioritized this as we expect most users to start Intruder attacks manually. We’d be interested to know more about your use case.

Please let us know if you need any further assistance.

Daniel May 08, 2018 04:16PM UTC
Hi Paul,

Thanks for the reply. In terms of the use case, I was hoping to create a plugin with saved configurations for intruder attacks. This is mostly for a couple of situations:

1. Testing SQL injection (and other vulnerabilities) - when manual testing reveals nothing for a parameter I quite like to use an appropriate word list with intruder to fuzz it since there are a large number of possible cases to test if errors are being handled quietly. Every time I do this, I'm sending to intruder, setting the template properly, selecting the word list, reducing the threads, and removing the option for making an unmodified baseline request. While this doesn't take long at all to do once or twice, it would be a lot smoother and less tedious to be able to perform this from an option on the right-click menu each time as I'm essentially running the same attack repeatedly.

2. I sometimes have to perform vulnerability assessments at work that include brute-forcing web application logins with small word lists (using the same word lists for each login). Rather than having to configure this attack each time (which can be a large number depending on the scope), I would like to be able to submit the login form with a username and password such as "bruteuser" and "brutepass", then with one action from the right-click menu in the proxy send this request to intruder with markers around "bruteuser" and "brutepass", set the threads, set the attack type to Cluster Bomb, set the word lists, etc.

I believe the ability to do this will take out a lot of the tedium from certain types of testing, and make the testing a bit more seamless.

Paul Johnston May 09, 2018 09:11AM UTC Support Center agent

Hi Daniel,

Thanks for explaining your use cases. Are you aware that you can save and load attack configs within Intruder? This may help you somewhat – although it’s not as slick as what you propose.

For the SQL injection use case, we would encourage you to use Scanner instead of Intruder. This uses a similar set of payloads, although they are adaptive, and also have detection logic that avoids a human having to check the responses. If some checks you regularly want to do are missing, you can code a custom IScannerCheck. In fact, we’d be interested to hear about missing payloads as we would consider adding them to the core scanner.

Please let us know if you need any further assistance.

Post Your public answer

Your name
Your email address