intruder
Fuzz HTTP endpoints using sniper, battering ram, pitchfork, and cluster bomb attacks. Define payload positions and filter results by status, timing, or length.
Instructions
Burp Intruder-style fuzzing with sniper, battering ram, pitchfork, and cluster bomb attack types. See rqwstr_docs(topic="intruder") for attack types and CSRF handling.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| sni | No | TLS SNI override. Decouples SNI from Host header for HTTPS requests. | |
| url | Yes | Target URL with §position§ markers | |
| body | No | Request body (may contain §position§ markers) | |
| method | Yes | HTTP method | |
| headers | No | Request headers (may contain §position§ markers) | |
| threads | No | Concurrent threads (default 1 max 50) | |
| payloads | No | Position name to payload values mapping | |
| output_dir | No | Directory to save response bodies (creates if not exists) | |
| timeout_ms | No | Per-request timeout in ms (default 30000) | |
| attack_type | Yes | Attack type: sniper battering_ram pitchfork cluster_bomb | |
| raw_headers | No | Raw headers string (\r\n-separated). Appended after headers map. Allows duplicate headers and non-standard formatting. | |
| filter_match | No | Only show responses matching this regex | |
| http_version | No | HTTP version: 1.1 or 2 (default 1.1; use 2 for HTTPS timing attacks) | |
| filter_status | No | Only show these status codes | |
| payload_files | No | Position name to relative hunt artifact path (one payload per line); absolute paths require RQWSTR_ALLOW_ABSOLUTE_FILE_PATHS=1 | |
| session_setup | No | Chain-like steps to run before each request. Fetches CSRF tokens and session state. Extracted variables substitute via double-brace syntax. Cookies auto-forward. | |
| filter_time_gt | No | Only show responses slower than N milliseconds | |
| filter_time_lt | No | Only show responses faster than N milliseconds | |
| payload_ranges | No | Position name to range spec (e.g. 1-254 or 0-100:5) | |
| request_target | No | Override request-line target (RFC 7230 §5.3.2 absolute-form). May contain §position§ markers. | |
| filter_length_gt | No | Only show responses larger than N bytes | |
| filter_length_lt | No | Only show responses smaller than N bytes | |
| filter_exclude_payload | No | Regex to exclude results where any payload value matches |