The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

When a payload is inserted at a particular position, any text between the

markers will be overwritten with the payload. When a payload is not being

inserted, the text between the markers will be submitted instead. This is nec-

essary in order to test one parameter at a time, leaving others unmodified, as

when performing application fuzzing. Clicking on the Auto button will make

Intruder set payload positions at the values of all URL, cookie, and body para-

meters, thereby automating a tedious task that was done manually in JAttack.

The sniper attack type is the one you will need most frequently, and func-

tions in the same way as JAttack’s request engine, targeting one payload posi-

tion at a time, submitting all payloads at that position, and then moving on to

the next position. There are other attack types that enable you to target multi-

ple positions simultaneously in different ways, using multiple payload sets.