The options tab in the intruder tool allows you to configure additional test parameters including a grep function, enabling a DOS mode and deciding how you want the Burp Suite to handle 3xx redirects.

We can also instruct the Burp Suite to make a request without any values being modified which will be used a baseline request. This baseline request will be used to compare the attack requests against.

For this example we are going to the grep function to perform a simple pattern match. The Burp Suite will provide you with a default list of words to match against but we are going to remove these and add our own for this test.

The User ID field that we provide will be entered into an SQL query. If the application fails to securely validate this value a SQL Injection vulnerability could exist.

We want the intruder tool to perform a pattern match based on this string: “SQL syntax”. This should allow us to easily identify any SQL errors caused by our test inputs:

Saving our attack configuration

The test we have configured in this tutorial might only be used once but we can save our attack configuration so we can repeat this test in future. You can save your attack configuration by clicking on the Intruder menu item and choosing “save attack config”. You can save your tests with or without the payload positions:

As you can see in the image above you also load the attack configs by clicking on the Intruder menu item.

Executing our tests

The only thing left for us to do now is to execute our tests.

To start the intruder tool you need to click Intruder menu item and then click on “start attack”:

A separate window will be opened which will show you each test, the payload used, the status code, length and in our case the tests which match our SQL syntax pattern match:

You can see that some of the tests matched our pattern match word by looking at the tick boxes in the SQL syntax column.

To review the request and the response for each test you can click any of the requests shown in the attack window. The request and response for the test will be shown in the bottom half of the intruder attack window.

We are going to review request 13 which entered a single quote (‘) into the User ID field:

This single quote caused a MySQL error to be thrown by the application:

So as you can see we have used the Burp Suite intruder tool to identify a potential SQL injection vulnerability.

I hope you have found this blog post useful and I’m always interested in hearing any feedback you have.