Some Thoughts on the Future of IT

If you use Burp a good bit you’ve likely run into the question of what
precisely the various Intruder Payload Methods do. Specifically, what are
the differences between them? To refresh the memory, they are Sniper,
Battering Ram, Pitchfork, and Cluster Bomb.

The manual has good explanations, but somehow nobody remembers them. So
here’s my own quick summary of the functionality.

Sniper

• Payloads: One

• Summary: One of the marked parameters tested at a time, with one of the
  payload items.

• Common Use Cases: Individual field tests for a specific vulnerability,
  hit a password field for a known username with a guessing attack.

Battering Ram

• Payloads: One

• Summary: All marked parameters tested at the same time, using one of the
  payload items.

• Common Use Cases: Request requires value to be in multiple fields
  simultaneously, e.g. username.

Pitchfork

• Payloads: One for each parameter (up to 8)

• Summary: Hits each parameter at the same time with one item from its
  associated payload.

• Common Use Cases: Request requires value to be in multiple fields
  simultaneously, but different for each parameter.

Cluster Bomb

• Payloads: One for each parameter (up to 8)

• Summary: Combination of all payloads vs. parameters, so if there’s a
  username field and a password field, each has its own payload list, and
  the requests look like payloaduser1:payloadpass1,
  payloaduser1:payloadpass2, payloaduser1:payloadpass3,
  payloaduser2:payloadpass1, payloaduser2:payloadpass2,
  payloaduser2:payloadpass3.

• Common Use Cases: Guess username/password combinations looking for clues
  in response codes, response lengths, etc.