Articles

Brute Force and Fuzz with Burp Suite Intruder (2026)

April 16, 2026 4 min read

Burp Suite Intruder can launch more attacks than just simple brute-forcing, it can also perform fuzzing attacks.

Here’s a demonstration of Burp Intruder in action, targeting a hypothetical web application’s login endpoint.

Imagine a simple login form that accepts a username and password. We’ve intercepted a legitimate login request with Burp Suite and sent it to Intruder.

POST /login HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 35

username=admin&password=password123

In the Intruder "Positions" tab, we’ve identified username and password as the parameters we want to attack. We’ve selected "Sniper" as the attack type, meaning we’ll iterate through a list of payloads for one parameter while keeping the other static, and then vice-versa.

Brute Force Scenario: Username Enumeration

Let’s say we suspect a username admin might exist, but we’re unsure. We’ll set up Intruder to brute-force common usernames.

  1. Payload Type: Simple List
  2. Payloads: We’ll load a list of common usernames: admin, administrator, root, test, user.
  3. Target Parameter: username

Intruder will send requests like:

  • username=admin&password=password123
  • username=administrator&password=password123
  • username=root&password=password123
  • …and so on.

We’ll then analyze the responses. A successful login might return a 302 redirect to a dashboard, while an invalid username might return a 401 Unauthorized or a specific error message. We’d sort the results by response length or status code to identify potential valid usernames.

Fuzzing Scenario: Password Complexity Testing

Now, let’s focus on fuzzing the password field to uncover potential vulnerabilities like weak password policies or SQL injection.

  1. Payload Type: Fuzzing (e.g., Numbers, Special Characters, Brute Forcer with custom character sets)
  2. Payloads: We’ll use a combination of fuzzing lists. For example, a list of common special characters (!@#$%^&*()_+), a list of common password suffixes (123, abc, !), or even a generated list of common password patterns.
  3. Target Parameter: password

Intruder might send requests like:

  • username=admin&password=password!
  • username=admin&password=password@
  • username=admin&password=password123
  • username=admin&password=passwordabc

We’re looking for unexpected responses. A successful login with a password like password! might indicate the application doesn’t properly sanitize special characters. A response indicating an SQL error might suggest a successful SQL injection attempt.

The Mental Model: How Intruder Works

Burp Intruder automates the repetitive task of sending slightly modified requests to a target. It works by:

  1. Identifying Injectable Points: You tell Intruder which parts of the HTTP request (parameters, headers, body) it should modify. These are marked with "B" (for Burp) and "I" (for Intruder) markers.
  2. Defining Payload Sets: You provide lists of strings (simple lists, numbers, dates, or complex generated lists) or fuzzing permutations that Intruder will inject into the marked positions.
  3. Iterating and Sending: Intruder systematically takes each item from your payload set and inserts it into each marked position, sending the modified request to the target.
  4. Collecting and Analyzing Responses: Intruder captures all the responses, displaying them in a sortable table. You can then analyze status codes, response lengths, and even the response content for patterns that indicate success, failure, or interesting behavior.

Leveraging Intruder’s Power:

  • Attack Types: "Sniper" is for one parameter at a time. "Battering ram" sends the same payload to multiple parameters simultaneously. "Pitchfork" iterates through multiple payload lists concurrently across multiple parameters. "Cluster bomb" iterates through all combinations of payloads across multiple parameters.
  • Payload Generation: Beyond simple lists, Intruder can generate numbers, dates, common passwords, and even custom character combinations, which is crucial for effective fuzzing.
  • Grep - Extract: You can configure Intruder to extract specific data from responses (e.g., session IDs, error messages) to help automate analysis.

The one thing most people don’t realize is how granular you can get with the payload generation and modification. You can define custom character sets for brute-forcing, specify ranges for numerical payloads, and even set up rules to modify payloads on the fly based on previous responses, allowing for highly targeted and adaptive attacks that go beyond simple dictionary attacks.

Once you’ve successfully enumerated usernames and found a valid one, the next logical step is to systematically test that username against a comprehensive list of common passwords.

Want structured learning?

Take the full Burpsuite course →