Burp Suite: Parameter Fuzzing

TL;DR

This guide shows you how to use Burp Suite’s intruder to automatically test parameters with a list of values, like numbers or specific number combinations. This helps find vulnerabilities caused by unexpected input.

Step-by-step Guide

1. Capture the Request: First, you need a request containing the parameter you want to fuzz. Browse your application and perform an action that uses this parameter (e.g., submitting a form, making a search). Right-click on the request in Burp Suite’s Proxy history and select “Send to Intruder”.
2. Configure Intruder: The Intruder will open with the captured request loaded.
   • Go to the Positions tab.
   • Highlight the parameter you want to test. Burp Suite will mark it as a position (e.g., `1`). You can add multiple positions if needed.
   • If the parameter isn’t automatically highlighted, manually select it by clicking and dragging over the parameter name in the request preview.
3. Define Payload Positions: Switch to the Payloads tab.
   • Under “Payload type”, choose “Simple list”.
   • In the text box, enter your desired values, separated by newlines. For example:

     1
     2
     3
     4
     5

   • Alternatively, you can load a payload from a file using “Load…” if you have a larger list of values.
4. Configure Options (Optional): The Options tab allows fine-tuning. Consider these:
   • Concurrency: Increase the number of concurrent requests for faster testing, but be mindful of your server’s capacity.
   • Grep – Match & Extract: Use this to automatically identify interesting responses based on specific text patterns. For example, if you expect an error message when a value is invalid, enter that message in the “Match” field.
   • Encoding: Ensure the correct encoding for your application (usually UTF-8).
5. Start Attack: Click “Start attack”. Burp Suite will now send multiple requests, each with a different value from your payload list.
6. Analyze Results: The results will appear in the Results tab.
   • Sort by response status code to quickly identify errors (e.g., 400 Bad Request).
   • Examine the responses for any unexpected behaviour or error messages.
   • Look at the differences between successful and unsuccessful requests to understand how the parameter affects the application.

Example: Testing a Number Range

To test a number range from 100 to 105, your payload list would look like this:

100
101
102
103
104
105

Advanced Tips

• Payload Encoding: Use Burp Suite’s payload encoding options to test different encodings (e.g., URL encoding, Base64).
• Custom Payloads: Create more complex payloads using Burp Suite’s built-in functions or Python scripts.
• Intruder Extensions: Explore Burp Suite extensions for advanced fuzzing capabilities.