Today, we are going to discuss the “Payload Processing” option in Burpsuite. This is an advanced functionality available under the Intruder tab, which is used for making brute force attacks.

Payload Processing

We can define it as follows: when developers generate payloads using payload types, they can further manipulate or filter them. Various processing rules and payload encoding accomplish this.

Payload Processing Rules

We define these rules to perform various processing tasks on each payload before we use them. We execute these rules in a sequence, and we can use them to help debug any problems with the configuration. Payload processing rules are useful in situations where you need to generate different payloads, or where we want to wrap payloads within a wider structure or encoding scheme.

There are 12 types of payload processing rules available:

• Add prefix
• Add suffix
• Match / Replace
• Substring
• Reverse substring
• Modify case
• Encode  
• Decode
• Hash
• Add raw payload
• Skip if matches regex
• Invoke Burp extension

Let’s start!!

Add Prefix

This processing rule adds up a prefix before the payload.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Configuring the Intruder Attack

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of the window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as a sniper

• In the given below image, we have selected a password that means we will need one dictionary files for a password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Adding the Prefix Payload Processing Rule and Launching the Attack

Before executing the attack, we added a payload processing rule to the payload type. This rule is called Add Prefix. We provided the input string “hash”, which is added as a prefix to every input string in the dictionary. This can be seen in the result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack as shown in the image.

Add Suffix

This processing rule adds up a suffix after the payload.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of the window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as a sniper

• In the given below image, we have selected a password that means we will need one dictionary files for a password.

Configuring Payloads and Applying Add Suffix Rule

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack, we added a payload processing rule to the payload type. This rule is called Add Suffix. We provided the input string “1234”, which is added as a suffix to every input string in the dictionary. This can be seen in the result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for the correct password.

Match / Replace

This processing rule is used to replace any part of the payload that match a specific regular expression, with a string.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Setting Up Intruder Positions and Attack Type

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of the window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as the sniper

• In the given below image, we have selected a password that means we will need one dictionary files for the password.

Configuring Payloads and Applying Match / Replace Rule

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack, we added a payload processing rule to the payload type. This rule is called Match / Replace. We provided “9870” in the Match Regex option, which matches the input given with the input strings in the dictionary. If a certain match is found, it replaces it with the input “1234” provided in the Replace with option, as shown in the image.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for the correct password.

Substring

This processing rule extracts a sub-portion of the payload, starting from a specified offset up to a specified length. Here, the system counts the offset and length from the front.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Setting up Intruder Positions and Attack Type

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of the window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as a sniper

• In the given below image, we have selected a password that means we will need one dictionary files for the password.

Configuring Payloads and Applying Substring Rule

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using the option “Add from list” as shown below in the given image.

Before executing the attack, we added a payload processing rule to the payload type. This rule is called Substring. We provided an input of “0” in the From option, which specifies the offset. Additionally, we entered “3” in the Length option, which defines the length of the input strings.

For example, if “password” is a word in the dictionary and we applied the above filter, it will replace the characters as follows: p = 0, a = 1, s = 2, and s = 3. As a result, it will read only “pass” from the entire word “password”.

The specified length will select only those inputs that match the specific length. In contrast, other inputs with shorter or longer lengths are discarded, as shown in the result window of the attack.

Executing the Attack and Verifying the Password

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for the correct password.

Reverse Substring

This processing rule works similarly to a substring rule. However, the end offset is specified by counting backward from the end of the payload. Additionally, the length is also counted backward from the end offset.

First, we intercepted the login page request in the Bwapp LAB. Here, we entered the default username along with an incorrect password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of the window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as the sniper

• In the given below image, we have selected a password that means we will need one dictionary files for a password.

Configuring Payloads and Applying Reverse Substring Rule

 Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using the option “Add from list” as shown below in the given image.

Before executing the attack, we added a payload processing rule to the payload type. This rule is called Reverse Substring. We provided an input of “2” in the From option, which specifies the offset. Additionally, we entered “9” in the Length option, which defines the length of the input strings. These settings are similar to the Substring rule, but there is a key difference. Instead of counting from the start, it works backward from the specified offset, and the length is also counted backward from where the offset ends.

For example, if “admin123456” is a word in the dictionary and we applied the above filter, it will replace the characters as follows: 4 = 0, 3 = 1, 2 = 2, 1 = 3, n = 4, i = 5, m = 6, d = 7, d = 8, a = 9. As a result, it will read only “admin1234” from the entire word “admin123456”.

Additionally, the specified length will select only those inputs that match the specific length. In contrast, other inputs with shorter or longer lengths are discarded, as shown in the result window of the attack.

Launching the Attack and Verifying Results

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for the correct password.

Modify Case

You can use this processing rule to modify the case of the payload if needed. This rule has the same options available for the Case Modification payload type which we have explained in Part-1 of the Payload types article.

Source: portswigger.net

To learn more about Burp Suite for Pentesters. Follow this Link.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here