Burpsuite Payloads Overview

Burp Suite Payload Overview
Burp Suite Payload Overview

Types of Payload in Burp Suite.

Burp Suite developed by Portswigger Web Security. It is a Java-based software platform of tools for performing security testing of web applications.

The suite of products can be used to combine automated and manual testing techniques and consists of many different tools, such as a proxy server, a web spider, scanner, intruder, repeater, sequencer, decoder, collaborator and extender.

We are going to overview the Intruder feature of Burp Suite. It is using for brute force to web applications.

There are 18 types of payloads in intruder like

A Simple list, Runtime File, Case Modification, Numbers, Character substitution, Custom iterator, Recursive grep, Illegal Unicode, Character blocks, Dates, Brute Forcer, Null Payloads, Character frobber, Bit Flipper, Username generator, ECB block shuffler, Extension Generated, Copy other payloads.

Simple List

It is one of the simple types of payload, as it allows you to configure a short Dictionary of strings that are used as the payload.

You can manually add items to the list using the text box and the “Add” button, or you can paste a list from the clipboard, or load from file.

Also Read- Simple list attacks  Demonstrate Brute Force On Web Login Page By Using BurpSuite.

You can check the POC Video of the Tutorial.

Runtime File

This type of payload allows you to configure a file that reads the payload strings at runtime. It is needed when we require a large list of payloads to avoid holding the entire list in memory and allows you to configure a large list of strings that overcomes the simple list payload type.

Case Modification

It allows you to configure a list of strings and apply various case modifications to each item on the list, and it is useful in password guessing attacks, for generating case variations on dictionary words.

The following case modification rules can be selected:

  • No change – The item is used without being modified.
  • To lower case – All letters in the item are converted to lower case.
  • To upper case – All letters in the item are converted to upper case.
  • To Proper name – The first letter in the item is converted to upper case, and the remaining letters are converted to lower case.
  • To Proper Name – The first letter in the item is converted to upper case, and the remaining letters are not changed.

For example, if we select all the modification options, then the item “hackers online club” will generate the following payloads:

  • Hackers Online Club
  • hackers online club
  • HACKERS ONLINE CLUB
  • Hackers online club

Numbers

This type of payload generates numeric payloads within a given range and in a specified format.

The following options are available in this payload:

Number range:

  • Type – the type options describes that the numbers should be generated sequentially or randomly.
  • From – If numbers are being generated sequentially, it is the value of the first number that will be created.
  • To – If numbers are being generated sequentially, this value of the last number that will be generated. It is said as the highest possible number that may be randomly generated.
  • Step – the step option is used when numbers are being generated sequentially and specifies the increment in the successive numbers.
  • How many – This option is available when numbers are being generated randomly, and specifies the number of payloads that will be generated.

Brute Force

This type of payload generates a payload of specified lengths that contain all permutations of a list of characters in the given string.

The following options are available:

  • Character set – The set of characters to be used in the payloads. Note that the total number of payloads increases exponentially with the size of this set.
  • Min length – The length of the shortest payload.
  • Max length – The length of the longest payload.

Character Substitution

This type of payload allows us to configure a list of strings and apply various character substitutions to each item and use in password guessing attacks and generating common variations on dictionary words.

The UI of this payload allows you to configure a number of character substitutions. For each item, it will generate a number of payloads, which include all permutations of substituted characters according to the defined changes.

For example, the default substitution rules states (which include e > 4 and h > 5), the item “hackers online club” will generate the following payloads:

  • hackers online club
  • 5ackers online club
  • hack4rs online club
  • hackers onlin4 club
  • hack4rs onlin4 club
  • 5ack4rs onlin4 club

Copy Other Payload

Copy other payload can copy the value of the current payload to another payload position. It is beneficial for attack types that have multiple payload sets such as cluster bomb, pitchfork, and battering ram.

This payload type can be useful in various situations, for example:

Suppose we are using two different parameters and we want to attack at two different fields, therefore we can set different “payload types” at multiple “payload sets” inside burpsuite payload configuration as per our attack type as it allows us to simply use the same dictionary for both payloads that we have set a particular position by giving the position of the payload we want to copy. It will execute the complete payload, which is set at a specific position.

Username generator

This payload type lets you configure a list of names or email addresses, and derives potential usernames from these using various common schemes.

For example, supplying the name “hackers online club” results generate usernames, as follows:

  • hackersonlineclub
  • hackers.onlineclub
  • onlineclubhackers
  • clubhackersonline
  • hackers
  • hackersonline
  • onlineclub
  • etc…

Username generator payload type can be useful if you are targeting a particular human user, and you do not know the username or email address scheme in use within an application.

Dates

This type of payload generates date payloads within a given range and in a specified format, and it can be used in data mining or brute forcing.

For example, to guess a user’s birth date, wedding date, anniversary date etc, which can be used to brute force the security questions for an application or web applications, or it can use to brute force the password of user’s, where the user uses dates as their password.

The following options are available:

  • From – This is the first (and earliest) date that will be generated.
  • To – This is the value of the last (and latest) date that will be generated (or the nearest lower increment of the step value).
  • Step – This is the increment between successive dates, in days, weeks, months or years. It must be a positive value.
  • Format – This is the format in which the dates should be represented. Several predefined date formats can be selected, or a custom date format can be entered in the text field. The examples below illustrate the syntax that can be used to specify custom date formats.
MMMMJune
yy03
yyyy2019

Null payloads

It generates payloads whose value is an empty string and to use when an attack requires the same request to be made repeatedly, without any modification to the basic template.

This can be used for a variety of attacks, for example, harvesting cookies for sequencing analysis, application-layer denial-of-service attacks where requests are repeatedly sent which initiate high-workload tasks on the server, or keeping alive a session token that is being used in other intermittent tests.

Extension-generated

This payload type invokes a Burp extension to generate payloads. The extension must have registered an Intruder payload generator. You can select the required generator from the list of available generators that have been registered by currently loaded extensions.

Illegal Unicode

This payload type can be used to generate illegal Unicode representations of characters. It is sometimes effective in bypassing filters designed to block certain characters, for example, defenses against file path traversal attacks that match on expected encodings of the ../ and ..\ sequences.

The payload type operates on a list of items and generates a number of payloads from each item by replacing a specified character within each item with illegal Unicode-encodings of another character.

Character blocks

This payload type generates payloads based on blocks of a specified character or string. It can be useful in detecting buffer overflow and other boundary condition vulnerabilities in software running in a native (unmanaged) context. It can also be used to exploit some logic flaws where the input of a particular length bypasses input filters or triggers an unexpected code path.

The following options are available:

  • Base string – This is the input string from which the character blocks will be generated.
  • Min length – This is the size of the smallest block that will be generated.
  • Max length – This is the size of the largest block that may be generated.
  • Step – This is the increment in the length of each character block.

Character frobber

This payload type is useful when testing which parameter values, or parts of values, have an effect on the application’s response. It operates on a string input and modifies the value of each character position in turn. It can operate on the existing base value of each payload position, or on a specified string. It cycles through the base string one character at a time, incrementing the ASCII code of that character by one.

ECB block shuffler

This payload type can be used to shuffle blocks of ciphertext in ECB-encrypted data to meaningfully modify the decrypted clear text and potentially interfere with application logic.

The following options are available:

  • Encrypted data to shuffle
  • Format of original data
  • Block size
  • Additional encrypted strings

Extension-generated

This payload type invokes a Burp extension to generate payloads. The extension must have registered an Intruder payload generator. You can select the required generator from the list of available generators that have been registered by currently loaded extensions.


Note: Next article, we will demonstrate the payloads with POC.

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Kaushal Jangid

Demonstrate Brute Force On Web Login Page By Using BurpSuite

The following tutorial is a beginner guide on Brute Force attack by...
Read More

Leave a Reply