Burp Intruder Payload Methods Explained

If you use Burp a good bit you’ve likely run into the question of what precisely the various Intruder Payload Methods do. Specifically, what are the differences between them? To refresh the memory, they are Sniper, Battering Ram, Pitchfork, and Cluster Bomb.

The manual has good explanations, but somehow nobody remembers them. So here’s my own quick summary of the functionality.

Sniper

  • Payloads: One

  • Summary: One of the marked parameters tested at a time, with one of the payload items.

  • Common Use Cases: Individual field tests for a specific vulnerability, hit a password field for a known username with a guessing attack.

Battering Ram

  • Payloads: One

  • Summary: All marked parameters tested at the same time, using one of the payload items.

  • Common Use Cases: Request requires value to be in multiple fields simultaneously, e.g. username.

Pitchfork

  • Payloads: One for each parameter (up to 8)

  • Summary: Hits each parameter at the same time with one item from its associated payload.

  • Common Use Cases: Request requires value to be in multiple fields simultaneously, but different for each parameter.

Cluster Bomb

  • Payloads: One for each parameter (up to 8)

  • Summary: Combination of all payloads vs. parameters, so if there’s a username field and a password field, each has its own payload list, and the requests look like payloaduser1:payloadpass1, payloaduser1:payloadpass2, payloaduser1:payloadpass3, payloaduser2:payloadpass1, payloaduser2:payloadpass2, payloaduser2:payloadpass3.

  • Common Use Cases: Guess username/password combinations looking for clues in response codes, response lengths, etc.

Related posts: