Monday, March 22, 2010

Intruder botox

I'll shortly be releasing to Burp Suite Pro users a new beta version of Burp Intruder, which contains a bunch of frequently-requested enhancements:
  • You can now configure multiple attacks indepedently in separate tabs (as with Burp Repeater). You can copy attack configurations between tabs, or save configurations for later use.
  • Payload positioning now uses the same feature-rich editor as other tools, and fully preserves binary/non-printing characters.
  • There are several new payload sources, including a bit flipper, character frobber and username generator.
  • The existing simple payload processing options (for encoding, etc.) are replaced with a rules-based processor which can perform arbitrarily many actions, such as match/replace, prefix/suffix, substring, case modification, encoding, decoding and hashing.
  • All feasible attack configuration options can now be modified during a live attack, and have immediate effect, including the base request template, payloads, grep settings and thread count.
  • Each attack optionally performs an unmodified baseline request, to enable easy comparison with the results of actual attack requests.
  • The attack results table contains the same rich functionality as the Proxy history, with a configurable filter, annotation of items with comments and highlights, and a preview pane for quick viewing of requests and responses.
  • Selected result items can be flagged to be re-requested (e.g. if network errors or timeouts have occurred).
  • When an attack is configured to follow redirects, all intermediate responses and requests are recorded in the results viewer.
Following the enhancements made to other tools in recent releases, Burp Intruder was starting to look a bit left behind. This upgrade brings Intruder up to the same level of functionality as the rest of the suite, and you will hopefully find it more powerful and easier to use than previously. There are a lot of requested features which didn't make the cut on this occasion, and these will hopefully make an appearance later this year.

The new release should be available later this week.


Anonymous said...

Nice work Daf. Are there any plans to implement an egrep type of search in the proxy and repeater so that we can search the request/response for more than one search term at a time?

PortSwigger said...


If you set the search bar below the editor to use regex (click on the + button on the left), you can search for two terms at once, for example:


Does that help?

Anonymous said...

The only thing you need now is a way to perform multi-step attacks for those places in the app that require input for page 1 and 2 in order to process information on page 3.

Used the beta since its release. Looking forward to using this new version. Thanks for all the hard work.

Dave said...

Thanks for improving Burp; I like it better with each release.

Two small feature requests though:
1) can you add the option for a random interval between 2 values in the intruder (e.g. random value between 10 and 20 seconds).

2) can you add the date (next to the time) in the proxy history.
I often have assessment that take more than 1 day and when I search for something it is difficult to look up the original request.

i0null said...

Absolutly love burp suite. However there are 2 features which i am dying for!

0: I would love if under the scope tab there was an option to cache a page and an option to edit it, so that that my modified version is surved to the browser whenever it is requested. Very useful for messing with javascript files.

1: already mentioned, but i would also love to option to add additional requests to the intruder and repeater tabs so that step-through wizards can be tested more easily. Maybe to do this, you can multiple requests to a attack and then specify which of the respones you would like to be returned.