Burp Intruder Attack Types: When to Use Each One Day 9 of my pentesting challenge. Intruder's four attack types confuse people, so here is the cheat sheet. Sniper -- Independent Parameter Testing One list, multiple positions, tested one at a time. Use for finding which parameter is injectable: POST /search HTTP / 1.1 Content-Type : application/x-www-form-urlencoded query=$$test$$&category=$$all$$&sort=$$date$$ Enter fullscreen mode Exit fullscreen mode With an XSS payload list, Sniper tests query with all payloads while category and sort stay default, then moves to category , then sort . Three positions, 50 payloads = 150 requests. Pitchfork -- Paired Credential Testing Multiple lists in parallel. Position 1 gets list 1, position 2 gets list 2: List 1 (emails): alice@corp.com, bob@corp.com List 2 (passwords): Spring2026!, Welcome1 Request 1: alice@corp.com / Spring2026!…