You can use Burp Intruder to perform many kinds of tasks, including enumerating identifiers, harvesting useful data, and fuzzing for vulnerabilities. It can be used to test for flaws such as SQL injection, cross-site scripting, buffer overflows and path traversal; perform brute force attacks against authentication schemes; manipulate request parameters; trawl for hidden content and functionality; exploit session token predictability; mine for interesting data; and perform concurrency attacks and application-layer denial-of-service attacks. For a detailed discussion of the kinds of attack that can be performed using Burp Intruder, see Chapter 13 of The Web Application Hacker's Handbook.

Key features include:

• Highly configurable algorithms for generating malicious HTTP requests.
• Large number of built-in attack "payloads".
• Tools for generating customised attack vectors, based on character sequences, substitution, malformed encoding, brute forcing, enumerated tokens, etc.
• Full integration with other Burp Suite tools.
• Customisable tests for anomalous or interesting server responses.
• Detailed capture of results.
• Ability to follow 3xx redirects during an attack.
• IDS evasion and DoS mode.
• Support for proxy servers, and authentication using basic, NTLM and digest types.
• Runs in both Linux and Windows.

Burp Intruder is part of the Burp Suite of web application hack tools. For examples of Burp Intruder in action, see the screenshots, or for detailed information about the configuration and execution of Burp Intruder, see the help file.