Burp Intruder Attack Types: When to Use Each One

Day 9 of my pentesting challenge. Intruder's four attack types confuse people, so here is the cheat sheet.

Sniper -- Independent Parameter Testing

One list, multiple positions, tested one at a time. Use for finding which parameter is injectable:

POST /search HTTP/1.1
Content-Type: application/x-www-form-urlencoded

query=$$test$$&category=$$all$$&sort=$$date$$

With an XSS payload list, Sniper tests query with all payloads while category and sort stay default, then moves to category, then sort. Three positions, 50 payloads = 150 requests.

Pitchfork -- Paired Credential Testing

Multiple lists in parallel. Position 1 gets list 1, position 2 gets list 2:

List 1 (emails): alice@corp.com, bob@corp.com
List 2 (passwords): Spring2026!, Welcome1

Request 1: alice@corp.com / Spring2026!
Request 2: bob@corp.com / Welcome1

Use when you have matched pairs from OSINT or breach data.

Cluster Bomb -- Full Combination

Every value in list 1 x every value in list 2. Expensive but thorough. 100 x 100 = 10,000 requests.

Reading Results

Sort by response length, not status code. When testing privilege escalation on admin endpoints:

GET /admin/$$path$$ HTTP/1.1
Cookie: session=<regular_user_token>

Most responses: 403 at ~90 bytes. A few 200s at 2,000+ bytes? Those admin pages have no server-side role checks. Real bug, found in seconds.