Intruder Guide - PhantomYerra Help

How the Intruder Works

Load a request — Send a request from the Interceptor, Repeater, or scan findings. Or paste a raw HTTP request manually.
Mark injection points — Wrap values you want to fuzz with the § delimiter. PhantomYerra highlights each position in a different color.
Choose an attack mode — Sniper, Battering Ram, Pitchfork, or Cluster Bomb. Each mode determines how payloads are distributed across positions.
Configure payload sets — Assign a payload list (or generator) to each injection position.
Set extraction rules — Define grep patterns to extract specific data from responses (e.g., error messages, tokens, user data).
Launch the attack — PhantomYerra sends all requests, logs every response, and highlights anomalies in real time.

Marking Injection Points

Injection points tell the Intruder which parts of the request to replace with payloads. Wrap any value with § markers:

POST /api/login HTTP/1.1 Host: target.com Content-Type: application/json Cookie: session=§abc123def§ {"username": "§admin§", "password": "§P@ssw0rd§"} # Three injection points marked: # Position 1: session cookie value # Position 2: username # Position 3: password

Auto-Detect Injection Points

Click Auto § and PhantomYerra automatically identifies and marks likely injection points:

Query parameter values
JSON object values (strings, numbers, booleans)
XML element contents and attribute values
Cookie values
Form field values (application/x-www-form-urlencoded)
Multipart form data field values
Custom header values that appear user-controlled

Manual Point Controls

Button	Action
Add §	Wrap the selected text with `§` markers to create a new injection point.
Clear §	Remove all `§` markers from the request.
Auto §	Automatically detect and mark injection points.

Four Attack Modes

1. Sniper

Tests one injection point at a time. Iterates through a single payload list, inserting each payload into each position sequentially while all other positions hold their original values.

# 2 positions, 3 payloads = 6 total requests Positions: §admin§ §password§ Payloads: [A, B, C] Request 1: username=A, password=password (position 1, payload A) Request 2: username=B, password=password (position 1, payload B) Request 3: username=C, password=password (position 1, payload C) Request 4: username=admin, password=A (position 2, payload A) Request 5: username=admin, password=B (position 2, payload B) Request 6: username=admin, password=C (position 2, payload C)

Best for: Identifying which parameter is vulnerable. Testing a list of SQLi, XSS, or command injection payloads against each input.

2. Battering Ram

Inserts the same payload into ALL positions simultaneously. Iterates through a single payload list.

# 2 positions, 3 payloads = 3 total requests Positions: §admin§ §password§ Payloads: [A, B, C] Request 1: username=A, password=A Request 2: username=B, password=B Request 3: username=C, password=C

Best for: When the same value must appear in multiple locations (e.g., CSRF token in body AND header). Also useful when testing one payload against the entire request surface.

3. Pitchfork

Each position gets its own payload list. Payloads are used in lockstep — item 1 from list A with item 1 from list B, item 2 from each, and so on. The attack stops when the shortest list is exhausted.

# 2 positions, 2 lists = 3 total requests (stops at shortest list) Position 1 payloads: [alice, bob, charlie] Position 2 payloads: [pass1, pass2, pass3] Request 1: username=alice, password=pass1 Request 2: username=bob, password=pass2 Request 3: username=charlie, password=pass3

Best for: Credential stuffing with known username:password pairs. Testing matched data sets where position 1 and position 2 are correlated.

4. Cluster Bomb

Tests every possible combination of payloads across all positions (Cartesian product). Each position gets its own payload list.

# 2 positions, 3 x 3 = 9 total requests Position 1 payloads: [alice, bob, charlie] Position 2 payloads: [pass1, pass2, pass3] Request 1: username=alice, password=pass1 Request 2: username=alice, password=pass2 Request 3: username=alice, password=pass3 Request 4: username=bob, password=pass1 Request 5: username=bob, password=pass2 Request 6: username=bob, password=pass3 Request 7: username=charlie, password=pass1 Request 8: username=charlie, password=pass2 Request 9: username=charlie, password=pass3

Best for: Brute-force attacks. Testing every username against every password. Can produce a very large number of requests (M x N x P...).

Request count warning: Cluster Bomb with large payload lists generates massive request volumes. PhantomYerra shows the total request count before launch. For 100 usernames x 1,000 passwords = 100,000 requests. Ensure rate limiting is configured to avoid overwhelming the target or triggering lockouts.

Payload Sets

Built-in Payload Lists

PhantomYerra ships with curated payload lists for common vulnerability classes:

Category	Lists Included	Payload Count
SQL Injection	MySQL, MSSQL, PostgreSQL, Oracle, NoSQL — error-based, blind, time-based, UNION, stacked queries	2,500+
XSS	Reflected, DOM, stored, polyglot, event handlers, CSP bypass, WAF bypass, mutation XSS	1,800+
Command Injection	Unix, Windows, PowerShell — chaining operators, encoding bypass	800+
Path Traversal	Linux paths, Windows paths, encoding variants, null byte, double encoding	600+
SSRF	Internal IPs, cloud metadata URLs, DNS rebinding, protocol smuggling	400+
Authentication	Common passwords, default credentials, username enumeration	10,000+
Fuzzing	Boundary values, format strings, long strings, special characters, null bytes	1,200+
SSTI	Jinja2, Twig, Freemarker, Mako, Pebble, Velocity template payloads	300+

Custom Payload Sources

File — Load payloads from a text file (one per line). Supports any wordlist format.
Clipboard — Paste payloads directly. One per line.
Number range — Generate sequential numbers. Configure start, end, and step. Example: 1 to 10000 for IDOR testing.
Character set — Generate all combinations of specified characters up to a given length. For brute-forcing short tokens or PINs.
Dates — Generate date strings in a specified format across a date range. For testing date-based access controls or log injection.
Null payloads — Send requests with the injection point value removed entirely. Tests for missing parameter handling.
AI-generated — In AI-assisted mode, PhantomYerra generates context-aware payloads based on the target's technology stack, detected WAF, and previous responses.

Payload Processing

Apply transformations to each payload before insertion:

URL encode — Encode special characters for query parameters
Base64 encode/decode — Wrap payloads in Base64
HTML encode — Entity-encode for HTML context injection
Prefix/Suffix — Add static text before or after each payload
Case modification — Convert to upper, lower, or mixed case (for case-insensitive filter bypass)
Hash — MD5 or SHA-256 hash each payload (for testing hash-based comparisons)
Skip if matches — Exclude payloads matching a regex pattern

Grep & Extraction Rules

Grep rules let you extract and flag specific data from every response. This turns the results table into a structured data extraction engine.

Grep Match

Define strings or regex patterns to flag responses that contain matching content. Each match appears as a boolean column in the results table.

# Example grep match rules "error in your SQL syntax" → Column: SQL Error (true/false per response) "Welcome, admin" → Column: Admin Access (true/false) "stack trace" → Column: Stack Trace Leaked

Grep Extract

Extract specific values from each response using regex capture groups. Extracted values appear as columns in the results table.

# Example grep extract rules "Welcome, ([^"]+)" → Column: Logged-in User (extracted name) "csrf_token" value="([^"]+)" → Column: CSRF Token (extracted value) "\"balance\":(\d+\.?\d*)" → Column: Account Balance (extracted number)

Grep Payload

Check whether the payload itself appears in the response (reflected). Useful for XSS testing: if the payload is reflected unescaped, it is likely vulnerable.

Rate Limiting & Throttling

Control the speed and concurrency of the Intruder attack to avoid overwhelming the target or triggering rate-limiting defenses.

Setting	Default	Description
Concurrent threads	10	Number of simultaneous requests. Increase for faster attacks, decrease to avoid detection.
Request delay	0 ms	Fixed delay between each request. Set to 100-500ms to stay under rate limits.
Random delay	Off	Add random jitter (e.g., 100-500ms) to each request delay. Makes traffic look more natural.
Max retries	3	Retry failed requests (connection errors, timeouts) up to this many times.
Timeout	30s	Per-request timeout. Increase for slow targets or time-based blind testing.
Pause on status	Off	Automatically pause the attack when a specific status code is received (e.g., 429 Too Many Requests).
Max requests	Unlimited	Stop the attack after this many total requests. Safety limit for Cluster Bomb mode.

Responsible testing: Always configure rate limiting appropriately. Overwhelming a target with thousands of concurrent requests can cause denial of service. Start with low concurrency (5-10 threads) and increase only if the target handles the load.

Analyzing Results

As the attack runs, results stream into a sortable, filterable table in real time.

Results Table Columns

Column	Description
#	Request sequence number
Payload	The payload(s) used in this request
Status	HTTP response status code
Length	Response body length in bytes
Time	Round-trip time in milliseconds
Error	Connection or timeout error (if any)
Grep columns	Your configured grep match/extract values

Identifying Anomalies

Status code changes — A payload that triggers a different status code (e.g., 500 vs 200) often indicates a vulnerability.
Response length changes — Sort by length. Outliers (significantly larger or smaller responses) may indicate successful injection.
Timing anomalies — Sort by time. Requests that take significantly longer may indicate time-based blind injection (SLEEP, pg_sleep, WAITFOR DELAY).
Grep match hits — Filter to show only rows where your grep pattern matched (e.g., "SQL error" = true). These are your high-priority findings.
Reflected payloads — If the "Payload Reflected" column is true and the payload contained script tags, that is a strong XSS indicator.

Drill Down

Click any result row to view the full request and response in a detail panel. From there:

Send to Repeater — Move this specific request/response to the Repeater for manual follow-up.
Capture as Evidence — SHA-256 hash and timestamp this pair as finding evidence.
Create Finding — Directly create a vulnerability finding from this result, pre-populated with the payload, evidence, and response details.

Common Attack Workflows

Workflow 1: SQL Injection Discovery

1

Send Request to Intruder

From the Interceptor or Repeater, send a request with dynamic parameters to the Intruder.
2

Mark Injection Points

Auto-detect or manually mark all parameter values as injection points.
3

Select Sniper Mode + SQLi Payloads

Use Sniper mode to test each parameter individually. Load the SQL Injection payload set.
4

Add Grep Rules

Add grep match rules for common SQL error strings: SQL syntax, mysql_fetch, ORA-, unclosed quotation.
5

Launch and Analyze

Run the attack. Sort results by the SQL Error grep column. Any "true" rows are confirmed injection points. Click to inspect the full error response.

Workflow 2: IDOR / Access Control Testing

1

Capture an Authorized Request

Intercept a request like GET /api/users/123/profile that returns your own profile.
2

Mark the ID as Injection Point

Mark §123§ as the injection point in the URL path.
3

Use Number Range Payloads

Configure a number range from 1 to 1000 (or use known user IDs). Select Sniper mode.
4

Add Grep Extract

Extract the username or email from each response: "email":"([^"]+)". This confirms you are accessing other users' data.
5

Analyze Results

If responses return 200 with different users' data, IDOR is confirmed. The extracted emails/usernames in the grep column are the evidence.

Keyboard Shortcuts

Shortcut	Action
`Ctrl+Enter`	Start/resume the attack
`Ctrl+Shift+Enter`	Pause the attack
`Ctrl+A`	Auto-detect injection points
`Ctrl+Shift+A`	Clear all injection points
`Ctrl+R`	Send selected result to Repeater
`Ctrl+E`	Capture selected result as evidence
`Ctrl+F`	Search/filter results table
`Ctrl+S`	Save results to file (CSV or JSON)

Tip: Save interesting Intruder configurations (request + positions + payloads + grep rules) as templates for reuse across engagements. Click Save Template and name it (e.g., "IDOR-numeric", "SQLi-full-suite").

Intruder — Payload Fuzzer & Attack Automation