Brute-forcing logins with Burp Suite

Although it's far more efficient to first enumerate a valid username and then attempt to guess the matching password, this may not always be possible. Using Burp Intruder, you can attempt to brute-force both usernames and passwords in a single attack.

Before you start

Obtain lists of potential usernames and passwords. For the example below, you can use the following lists:

• Usernames
• Passwords

In practice, we recommend sorting the list in order of how likely you think the username or password is to be correct.

Steps

You can follow along with the process below using the Username enumeration via subtly different responses lab from our Web Security Academy.

1. Send the request for submitting the login form to Burp Intruder.
2. Go to Intruder and select Cluster bomb attack from the attack type drop-down menu.

3. In the request, highlight the username value and click Add § to mark it as a payload position. Do the same for the password.

   
4. In the Payloads side panel, select position 1 from the Payload position drop-down list.

5. Under Payload configuration, paste the list of usernames.

   
6. Select position 2 from the Payload position drop-down list, and paste the list of passwords.
7. Click Start attack. The attack starts running in the new dialog. Intruder sends a request for every possible combination of the provided usernames and passwords.

8. When the attack is finished, study the responses to look for any behavior that may indicate a valid login. For example, look for any anomalous error messages, response times, or status codes. In the example below, one of the requests has received a 302 response.

   
9. To investigate the contents of a response in detail, right-click and select Send to Comparer (response). Do the same for the original response.
10. Go to the Comparer tab. Select the two responses and click Words or Bytes to compare the responses. Any differences are highlighted.