Docs / Core / Intruder
Intruder (Attack Studio)
The short version. Intruder is Crusader's automated request attacker: take one captured request, mark the bytes you want to vary as insertion points, attach payload lists, and fire thousands of permutations to fuzz parameters, enumerate IDs, brute-force, or test authorization. Pick the attack mode that matches your insertion points — Sniper, Battering ram, Pitchfork, or Cluster bomb — then sort and grep the results to find the response that doesn't look like the others. Free ships Attack Studio Lite: Sniper mode, capped at 2,000 generated requests. The other three modes and uncapped volume are Hunter Pro.
01What Intruder is for
Repeater is for sending one request at a time by hand. Intruder is for sending the same request hundreds or thousands of times, varying one or more parts of it from a list. That covers most of the repetitive work in a test: enumerating object IDs for IDOR, fuzzing a parameter with a wordlist, brute-forcing a login or a token, walking a date or page range, or spraying a payload set across a header.
The model is deliberately simple. You start from a single real request, mark the spots that should change, and give Crusader the values to drop in. Crusader generates the request set, sends it, and lays every response out in a sortable table so the outlier — a different status code, a longer body, a slower reply, a grep hit — stands out.
Intruder is intrusive: it sends real, often malformed, traffic at the target in volume. Only run it against systems you are authorized to test, and mind the request cap and timing on production hosts.
02Step 1 — Send a request to Intruder
Every attack starts from a captured request. In HTTP History (or any request you already have open in Repeater), send the request to Intruder. It opens in a new attack tab with the full raw request as the template — method, path, headers, and body all editable.
Pick a request that already does the thing you want to vary. If you're hunting IDOR, capture a request that fetches one object you own; if you're fuzzing a search parameter, capture one normal search. The closer the template is to a real, authenticated request, the less you have to fix up by hand before marking insertion points.
03Step 2 — Mark insertion points
An insertion point is a span of the request that Intruder will replace with each payload. Select the bytes you want to vary — an ID in the path, a value in the query string, a field in a JSON body, a header value — and mark them. Each marked span becomes one position the attack drives.
You can mark several insertion points in one request; how their payloads combine is what the attack mode decides. Mark only what should change and leave the rest of the request fixed — over-marking inflates the request count fast, especially in Cluster bomb.
To find candidates quickly, let Crusader propose them. crusader intruder detect analyzes a request and returns the parameters worth fuzzing — query params, body fields, and other obvious positions — so you can start from a suggested set instead of hunting for offsets by eye.
# suggest insertion points for a captured request (by history id)
crusader intruder detect <history-id>04Step 3 — Pick an attack mode
The attack mode controls how payloads map onto your insertion points. With one position the choice barely matters; with two or more it decides whether payloads move together, independently, or in every combination — and therefore how many requests you generate.
| Mode | Tier | When to use it |
|---|---|---|
| Sniper | Free | One payload list, one position at a time. With several insertion points it cycles the list through each in turn (the others stay at their original value). The default for fuzzing or enumerating a single parameter. |
| Battering ram | Hunter Pro | One payload list, placed into every insertion point at once with the same value each request. Use when the same payload must appear in multiple spots — e.g. a token repeated in a header and the body. |
| Pitchfork | Hunter Pro | One list per insertion point, advanced in lockstep (1st with 1st, 2nd with 2nd…). Use for paired data — a username list and its matching password/ID list — where row N goes together. |
| Cluster bomb | Hunter Pro | One list per insertion point, every combination (the cartesian product). Use for credential brute-forcing — each username against each password. Request count multiplies fast, so keep lists small. |
On Free, only Sniper is available. Battering ram, Pitchfork, and Cluster bomb unlock with Hunter Pro, along with the removal of the 2,000-request cap.
05Step 4 — Payloads, processors, and SecLists
Each insertion point gets a payload set — the values Intruder feeds into it. A set can be a list you paste, a file you load, or a generated sequence (numbers over a range, dates, brute-force character sets). Sniper and Battering ram use one set; Pitchfork and Cluster bomb take one set per position.
SecLists
Crusader reads SecLists-style wordlists directly, so the standard fuzzing, discovery, and password lists work as payload sources without conversion. Point a payload set at the file you want and it streams in.
Payload processors
A processor transforms each payload after it's pulled from the set and before it's placed in the request. Chain them to do things like URL- or Base64-encode, hash, prefix/suffix, case-change, or skip values that match a pattern — useful when the target expects payloads wrapped or encoded a certain way. Processors run in order, so an encode step after a prefix step encodes the prefixed value.
Need a payload set or transform that isn't built in? A community plugin can register crusader.payloadGenerator({name, generate}) or crusader.payloadProcessor(fn) to add your own — see the extensions guide.
06Step 5 — Run, grep, and filter
Start the attack. Crusader sends the generated request set and streams each result into a table — one row per request, with the payload, status code, response length, and elapsed time. The whole point is to find the row that breaks the pattern.
Sort and filter to surface it:
- Status code — a lone
200in a wall of403s (access-control bypass), or a500where a payload broke something. - Response length / time — a body that's longer, shorter, or slower than its neighbours often marks a different code path — the classic blind-injection and enumeration tell.
- Response grep — flag rows whose response contains (or lacks) a string you specify, so a match like an error fragment, a username, or a "welcome" marker jumps out without reading every body.
Combine them: grep for an error string, then sort by length to separate true hits from noise. When a row looks real, send it to Repeater to confirm and develop it by hand.
Blind bug? Drop a Beacon payload into an insertion point and watch for the out-of-band callback instead of grepping the response — the way to catch blind SSRF, XXE, and OOB injection through Intruder.
07From the CLI
Intruder is scriptable. crusader intruder detect proposes insertion points for a request, and crusader intruder run executes an attack. Like every Crusader CLI verb, it prints JSON to stdout (errors go to stderr with exit code 1), so it pipes cleanly into scripts and agents.
# 1) ask Crusader which parameters are worth fuzzing
crusader intruder detect <history-id>
# 2) run an attack and capture the result table as JSON
crusader intruder run <history-id> > attack.jsonThe Free request cap and Sniper-only restriction apply to CLI runs exactly as they do in the GUI — the modes and volume gated to Hunter Pro stay gated however you invoke them.
08Tiers & limits
Intruder runs on every tier, but Free is deliberately scoped:
| Capability | Free (Attack Studio Lite) | Hunter Pro |
|---|---|---|
| Attack modes | Sniper only | Sniper, Battering ram, Pitchfork, Cluster bomb |
| Generated requests | Capped at 2,000 per attack | Uncapped |
| Payload sets & processors | Yes | Yes |
| SecLists wordlists | Yes | Yes |
| Response grep & filtering | Yes | Yes |
Free is a real attacker, not a teaser — Sniper plus a 2,000-request budget covers a lot of single-parameter fuzzing and enumeration. Reach for Hunter Pro when you need multi-position modes (paired or combinatorial payloads) or attack sets larger than the cap. Pricing is on the pricing page and your current tier is on the License & billing screen.
One more time, because volume amplifies it: only point Intruder at targets you're authorized to test. High-rate attacks can lock accounts, trip WAFs, and degrade production — scope the host and throttle accordingly.
Next
Want a guide that isn't here yet? Email hello@crusaderproxy.com.