One of Burp Suite most powerful feature is the intruder. This feature allows us to set variables in a request and to iterate over values, replace the variables by the values and send a request for each variable.
With this feature we can fuzz an application or try to brute force some credentials.
In our example we will brute force some credentials.
The first step to use the intruder is to get a request.
The first interesting tab of the intruder interface is the position tab. This tab lets us configure which part of the request will vary. Burp Suite offers an automatic detection of variables. In our case we are not interested and use §Clear§ to remove every variable.
A variable is a piece of text surrounded by the
To add a variable we have two options :
§character before and after the text that should vary.
We add the username and password as variables.
We also select the attack type : Cluster bomb.
The Payloads tab configures the list of strings we want to try. Here we will start by configuring the list of usernames :
We have to repeat the operation for the list of passwords (we choose the paylaod set 2).
Our attack is completely configured now and we can start it with Start Attack if we want to. That being said, we would like to know when some credential stuffing worked. We use the Grep - Match option in the Options tab to detect successful login attempts.
We know that failed login attempts will trigger a response containing the words "password incorrect", so we configure the tool to add a flag to a response with these words :
Now we can start the attack.
The results are presented in a table. We can select the responses that are not flagged with our grep configuration to detect successful login attempts.