Hello,


This is the first time I've used the BurpSuite Intruder and I wanted to do a very simple brute force attack on a local DVWA instance. So I set up the proxy, received the GET request and sent it to the Intruder, where I processed the positions, which looked like this:
If I now want to edit the 2 positions in the Payload - Tab, I can only select the username - position but not the password one:


I have tested 4 different Burp versions (
- Arch Linux 5.6.4: v2020_2_1 and 2_1_04
- Kali Linux 2020.1: v2.1.07
- Windows 10 17763: v2020_2_1
always in the Community edition).

I haven't (yet) set up/changed anything in the software, I just started it (Temporary Project -> Use Burp defaults).

Does anyone here know the error and a possible fix?

I use Burp Pro at work daily and have never encountered this issue. Perhaps CE has a limitation? I have access to a CE instance as well so will test this for you and report back.

I see now - you have to add some usernames to the list (hand enter only), then you can choose "Payload set 2" and enter possible passwords to use. Make sure you are using "cluster bomb" as your attack type.

I did this on the CE edition on my kali box. Hope that helps.

1 members found this post helpful.

Cluster bomb has "fixed" it, thank you very much. I missed on the help video that he changed the attack type.

Glad you got it working. FYI: we also use OWASP ZAP at work as a proxy and it is very powerful, but...the UI is radically different than Burp and not very easy to figure out. Once you do though, it is entirely free as it's open source.

Thanks for the info! Yes, I've been using ZAP a little longer than Burp but mainly for automatic scans in combination with Jenkins. With Burp I wanted/would like to test more by myself.