The following tutorial is a beginner guide on the Burp Suite.
In our previous article we are discussing about the “Types of Payload in Burp Suite”
Now in this part we are going to perform Runtime File payload in the Burp suite.
Runtime File Payload
This payload type lets you configure a file from which to read payload strings at runtime. This is useful when a very large list of payloads is needed, to avoid holding the entire list in memory. One payload is read from each line of the file, hence payloads may not contain newline characters.
Also check the Video Tutorial at the end of the article.
- Any Browser (We use chrome here)
- Network Proxy
- Demonstrate Link testphp.vulnweb.com
First, ensure that Burp is correctly configured with your browser. Follow the steps.
To configure Burp Suite demonstrate.
First Go to your browser settings and in the search box type proxy, then select open proxy settings > In connection tabs > Lan settings > Tick Use a proxy server for your LAN > (127.0.0.1 port number 8080) then Click ok.
Now open Burp Suite.
In the Burp Proxy tab, ensure “Intercept is off” and visit the login page of the application, which you are testing in your browser.
Turn on Intercept
In your browser, enter the random username and password, then submit the request to intercept the browser request using a burp suite. Here we are testing on http://testphp.vulnweb.com/
Right click on the request to bring up the context menu and click “Send to Intruder.”
Then select the Positions tab and follow the below steps:
- Change the attack to “Cluster bom*b” using the “Attack type” drop down menu.
- Clear the pre-set payload positions by using the “Clear” button on the right of the request editor and click add for set payload.
Go to the “Payloads” tab. In the “Payload sets” settings, ensure “Payload set” is “1” and “Payload type” is set to “Run time file.”
Then give the path of dictionary in the “payload options” as location of dictionary or in kali Linux give the path of dictionary in the “payload options” as /usr/share/wordists/rockyou.txt which is the largest dictionary in Kali Linux.
Next, in the “Payload Sets” options, change “Payload” set to “2” and “Payload type” is set to “Run time file.” Then give the path of the dictionary in the “payload options” as location of dictionary.
After that Select Start Attack in the Intruder menu.
In the “Intruder attack” window, you can sort the results using the column headers. In this example sort by “Length” and by “Status.”
The table now provides us with some interesting results for further investigation.
By viewing the response in the attack window, we can see that request 6182 is logged in as a “test.“
To confirm that the brute force attack has been successful, use the gathered information (username and password) on the web application’s login page.
Copy the Raw text of request
Paste the Raw text request in the Proxy tab > Intercept > Raw
Click on forward request and see the result