Intruder

Sniper

Assuming we have a wordlist with three words: burp, suite, and intruder, Intruder would generate six requests:

Bettering Ram

The Battering ram attack type in Burp Suite Intruder differs from Sniper in that it places the same payload in every position simultaneously, rather than substituting each payload into each position in turn.

Using the Battering Ram attack type with the same wordlist from before (burp, suite, and intruder), Intruder would generate three requests:

Pitchfork

The Pitchfork attack type in Burp Suite Intruder is similar to having multiple Sniper attacks running simultaneously. While Sniper uses one payload set to test all positions simultaneously, Pitchfork utilises one payload set per position (up to a maximum of 20) and iterates through them all simultaneously.

To better understand Pitchfork, let us revisit our brute-force example, but this time with two wordlists:

1. The first wordlist contains usernames: joel, harriet, and alex.

2. The second wordlist contains passwords: J03l, Emma1815, and Sk1ll.

We can use these two lists to perform a Pitchfork attack on the login form. Each request made during the attack would look like this:

Cluster Bomb

The Cluster bomb attack type in Burp Suite Intruder allows us to choose multiple payload sets, one per position (up to a maximum of 20). Unlike Pitchfork, where all payload sets are tested simultaneously, Cluster bomb iterates through each payload set individually, ensuring that every possible combination of payloads is tested.

To illustrate the Cluster bomb attack type, let's use the same wordlists as before:

• Usernames: joel, harriet, and alex.

• Passwords: J03l, Emma1815, and Sk1ll.

In this example, let's assume that we don't know which password belongs to which user. We have three users and three passwords, but the mappings are unknown. In this case, we can use a Cluster bomb attack to try every combination of values. The request table for our username and password positions would look like this: