Burp Suite Series – Demonstrate Runtime File Payload

Burp Suite- RunTime File Payload
Burp Suite- RunTime File Payload

The following tutorial is a beginner guide on the Burp Suite.

In our previous article we are discussing about the “Types of Payload in Burp Suite

Now in this part we are going to perform Runtime File payload in the Burp suite.

Runtime File Payload

This payload type lets you configure a file from which to read payload strings at runtime. This is useful when a very large list of payloads is needed, to avoid holding the entire list in memory. One payload is read from each line of the file, hence payloads may not contain newline characters.

Also check the Video Tutorial at the end of the article.

Requirements?

  • BurpSuite
  • Any Browser (We use chrome here)
  • Network Proxy
  • Demonstrate Link testphp.vulnweb.com

First, ensure that Burp is correctly configured with your browser. Follow the steps. 

To configure Burp Suite demonstrate.

First Go to your browser settings and in the search box type proxy, then select open proxy settings > In connection tabs > Lan settings > Tick Use a proxy server for your LAN > (127.0.0.1 port number 8080) then Click ok.

Using Burpsuite For Brute Force Website Login Page

Now open Burp Suite.

In the Burp Proxy tab, ensure “Intercept is off” and visit the login page of the application, which you are testing in your browser.

Using Burpsuite For Brute Force Website Login Page

Turn on Intercept

Brute Force Website Login Page using Burpsuite

In your browser, enter the random username and password, then submit the request to intercept the browser request using a burp suite. Here we are testing on http://testphp.vulnweb.com/

Brute Force Website Login Page using Burpsuite

Brute Force Website Login Page using Burpsuite

Right click on the request to bring up the context menu and  click “Send to Intruder.”

Brute Force Website Login Page using Burpsuite

Then select the Positions tab and follow the below steps:

  • Change the attack to “Cluster bom*b” using the “Attack type” drop down menu.
  • Clear the pre-set payload positions by using the “Clear” button on the right of the request editor and click add for set payload.

Brute Force Website Login Page using Burpsuite

Go to the “Payloads” tab. In the “Payload sets” settings, ensure “Payload set” is “1” and “Payload type” is set to “Run time file.”

Then give the path of dictionary in the “payload options” as location of dictionary or in kali Linux  give the path of dictionary in the “payload options” as /usr/share/wordists/rockyou.txt which is the largest dictionary in Kali Linux.

Next, in the “Payload Sets” options, change “Payload” set to “2” and “Payload type” is set to “Run time file.” Then give the path of the dictionary in the “payload options” as location of dictionary.

After that Select Start Attack in the Intruder menu.

In the “Intruder attack” window, you can sort the results using the column headers. In this example sort by “Length” and by “Status.”

The table now provides us with some interesting results for further investigation.

By viewing the response in the attack window, we can see that request 6182 is logged in as a “test.

To confirm that the brute force attack has been successful, use the gathered information (username and password) on the web application’s login page.

Copy the Raw text of request

Brute Force Website Login Page using Burpsuite

Paste the Raw text request in the Proxy tab > Intercept > Raw

Brute Force Website Login Page using Burpsuite

Click on forward request and see the result

Brute Force Website Login Page using Burpsuite

Successfully done.

Watch video 

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Kaushal Jangid

Exploiting Authentication Issues of Web Application

Following tutorial related to Exploiting Authentication Issues of a Web application. You...
Read More

Leave a Reply