Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Intruder: Inadequate default lists

Chris | Last updated: Apr 25, 2020 06:43PM UTC

As a pentester one of my first enumerating steps on web applications is to check for hidden directories and I use Burp Intruder for that task. Willing to be thorough I always choose the "Directories - long" list, trusting your dictionaries. However by accident I discovered by other means that one application has the below hidden directories: /report/ /reports/ /backup/ /backups/ I was then terrified to realize that those keywords are NOT included in the "Directories - long" list. I don't want to imagine how many such common directories I have missed all those years. Also I cannot understand the logic behind the fact that the aforementioned keywords are included only in the "Directories - short" list. Also some times I have found SQL Injection by other means (custom lists, burp plugins) that the Burp Scanner and the "Fuzzing - SQL injection" Intruder list failed to indicate. I think it is a good time to review and renew all your Intruder default lists. Thank you

Liam, PortSwigger Agent | Last updated: Apr 27, 2020 12:34PM UTC

Thanks for this report, Chris. We have plans to update Burp Intruder, I've added a ticket to the roadmap with your comments.

Chris | Last updated: Apr 27, 2020 04:21PM UTC

Thanks for that Liam!

Uthman, PortSwigger Agent | Last updated: Dec 22, 2020 11:35AM UTC

Hi Chris, The long versions of payloads lists now contain everything within the short versions. Can you please check this in the latest version (2020.12.1) and let us know if you have any issues?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.