Burp Suite User Forum

Login to post

Generating Customised Intruder Attacks from an Extension

Daniel | Last updated: May 05, 2018 06:37PM UTC

Hi, I'm trying to create a burp extension which generates customised intruder attacks. I'm aware that I can create attacks with some level of control (https://portswigger.net/burp/extender/api/burp/IBurpExtenderCallbacks.html#sendToIntruder(java.lang.String,%20int,%20boolean,%20byte[],%20java.util.List) ), however, is there any way to set options such as the attack type, number of threads, payloads, etc. ? Apologies if I've missed something obvious.

PortSwigger Agent | Last updated: May 08, 2018 07:40AM UTC

Hi Daniel, Thanks for your message. Unfortunately it is not possible for extensions to customize attack options. We may add this capability in the future, but we've not prioritized this as we expect most users to start Intruder attacks manually. We'd be interested to know more about your use case. Please let us know if you need any further assistance.

Burp User | Last updated: May 08, 2018 04:16PM UTC

Hi Paul, Thanks for the reply. In terms of the use case, I was hoping to create a plugin with saved configurations for intruder attacks. This is mostly for a couple of situations: 1. Testing SQL injection (and other vulnerabilities) - when manual testing reveals nothing for a parameter I quite like to use an appropriate word list with intruder to fuzz it since there are a large number of possible cases to test if errors are being handled quietly. Every time I do this, I'm sending to intruder, setting the template properly, selecting the word list, reducing the threads, and removing the option for making an unmodified baseline request. While this doesn't take long at all to do once or twice, it would be a lot smoother and less tedious to be able to perform this from an option on the right-click menu each time as I'm essentially running the same attack repeatedly. 2. I sometimes have to perform vulnerability assessments at work that include brute-forcing web application logins with small word lists (using the same word lists for each login). Rather than having to configure this attack each time (which can be a large number depending on the scope), I would like to be able to submit the login form with a username and password such as "bruteuser" and "brutepass", then with one action from the right-click menu in the proxy send this request to intruder with markers around "bruteuser" and "brutepass", set the threads, set the attack type to Cluster Bomb, set the word lists, etc. I believe the ability to do this will take out a lot of the tedium from certain types of testing, and make the testing a bit more seamless.

PortSwigger Agent | Last updated: May 09, 2018 08:07AM UTC

Hi Daniel, Thanks for explaining your use cases. Are you aware that you can save and load attack configs within Intruder? This may help you somewhat - although it's not as slick as what you propose. For the SQL injection use case, we would encourage you to use Scanner instead of Intruder. This uses a similar set of payloads, although they are adaptive, and also have detection logic that avoids a human having to check the responses. If some checks you regularly want to do are missing, you can code a custom IScannerCheck. In fact, we'd be interested to hear about missing payloads as we would consider adding them to the core scanner. Please let us know if you need any further assistance.

Burp User | Last updated: Aug 24, 2019 05:59PM UTC

I am also interested in this functionality for the same reasoning. The reason that I wouldn't want to use the scanner is because it can send to many requests at times. So having a very restricted set of payloads quickly loaded into intruder would be real helpful.

You need to Log in to post a reply. Or register here, for free.