How to Fix Burp Suite Intruder Payload Issues
In this tutorial, you'll learn about How to Fix Burp Suite Intruder Payload Issues. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Burp Suite Intruder does not insert payloads into the request, or the attack runs but all responses are identical. Payload positions or processing rules are misconfigured.
The Wrong Way
// Marking the entire request body as one payload position
POST /api/login HTTP/1.1
Host: example.com
Content-Type: application/json
§{"username":"admin","password":"password123"}§
Dumping everything in one position means each payload replaces the entire body at once, not individual fields.
The Right Way
Step 1: Mark correct payload positions
# Use § (position markers) for specific fields:
POST /api/login HTTP/1.1
Host: example.com
Content-Type: application/json
{"username":"§admin§","password":"§password123§"}
This creates two separate positions — one for username, one for password.
Step 2: Configure the payload type
# Burp → Intruder → Payloads → "Payload Options"
# Simple list: for small dictionaries
# Numbers: for sequential IDs
# Brute Forcer: for character combinations
# Pitchfork: one payload per position (parallel)
# Cluster bomb: all combinations (cartesian product)
Step 3: Add payload processing rules
# URL-encode special characters:
# Payload Processing → Add → "URL encode all characters"
# Or "Add prefix/suffix" for JSON values:
# Prefix: ", Suffix: " (for JSON string fields)
Step 4: Check response analysis
# Intruder → Results → sort by:
# - Length (different length = different response)
# - Status (2xx vs 4xx vs 5xx)
# - Expression (extract specific text)
Different response length or status code indicates the payload had an effect.
Intruder attack completed — 100 requests, 3 unique response lengths, 2 admin credentials found (Length: 442 vs 200).
Prevention
- Test Intruder with a single payload first to verify position marking.
- Use Pitchfork for SQL Injection testing, Cluster bomb for enumeration.
- The payload injection technique mirrors Doda Browser's fuzzing tool — systematic parameter testing reveals edge cases.
Common Mistakes with suite intruder payload
- Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
- Non-exhaustive pattern matches that compile with warnings then crash at runtime
- Misunderstanding that
Stringis[Char]with poor performance for large text operations
These mistakes appear frequently in real-world BURP code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro