LabEx
Log InJoin Free

Use the Pitchfork Attack in Burp Intruder

Beginner
Practice Now

Introduction

Burp Suite is a powerful platform for web application security testing. One of its most versatile tools is Burp Intruder, which allows you to automate customized attacks against web applications. Intruder has several attack types, each designed for different testing scenarios.

The Pitchfork attack type is used when you need to test multiple parameters with different, but related, payloads simultaneously. It uses a separate payload list for each marked position. During the attack, Intruder takes the first payload from the first list and pairs it with the first payload from the second list, then the second with the second, and so on. This is ideal for testing things like a list of known username and password pairs.

In this lab, you will learn how to configure and execute a Pitchfork attack in Burp Intruder against a simple login form.

Send a Request with Two Parameters to Intruder

In this step, you will launch Burp Suite, capture a login request, and send it to the Intruder tool for modification. The lab environment has already started a simple web application for you to test.

First, open a terminal from the desktop and launch Burp Suite. You can typically find it in the application menu or launch it from the command line. For this lab, we will launch it from the terminal.

burpsuite

In the startup wizard, select "Temporary project" and click "Next", then click "Start Burp".

Once Burp Suite is open, go to the Proxy tab, and then the Intercept sub-tab. Click the "Open Browser" button. This will launch a Chromium browser pre-configured to work with Burp's proxy.

In the Burp browser, navigate to the target application by entering the following URL:

http://127.0.0.1:8000

You will see a simple login form. Go back to the Burp Suite window and turn off interception by clicking the "Intercept is on" button so it changes to "Intercept is off". This allows requests to flow freely to the application.

Now, return to the browser. Enter test for the username and test for the password, then click "Submit".

Go back to the Burp Suite window and navigate to the Proxy > HTTP history tab. You should see a POST /login request in the history list. Right-click on this request and select "Send to Intruder".

This action sends a copy of the request to the Intruder tool, where you can configure the attack. You should see the Intruder tab highlighted.

Add Payload Markers to Both Parameters

In this step, you will define the positions in the request where Intruder should place its payloads. For a Pitchfork attack, you need to mark each parameter value you want to fuzz.

Navigate to the Intruder tab, and then to the Positions sub-tab. You will see the captured POST /login request.

Burp Intruder often automatically identifies potential payload positions and marks them with § symbols. For this lab, we want to control the positions precisely. First, click the Clear § button on the right side to remove any default markers.

The request body at the bottom of the window looks like this:

username=test&password=test

We want to insert payloads into the values of both the username and password parameters.

  1. In the request editor, highlight the value test for the username parameter.
  2. Click the Add § button on the right. The parameter should now look like username=§test§.
  3. Next, highlight the value test for the password parameter.
  4. Click the Add § button again. The parameter should now look like password=§test§.

Your request body should now have two marked positions:

username=§test§&password=§test§

These markers tell Intruder exactly where to place the payloads from the corresponding payload sets.

Set the Attack Type to 'Pitchfork'

In this step, you will select the Pitchfork attack type. This is the crucial setting that enables the paired payload injection behavior we want to test.

While still in the Intruder > Positions tab, locate the "Attack type" dropdown menu at the top of the screen. It is likely set to Sniper by default.

Click on the dropdown menu. You will see four options:

  • Sniper: Uses a single payload set and iterates through each position one by one.
  • Battering ram: Uses a single payload set and places the same payload in all positions at once.
  • Pitchfork: Uses multiple payload sets. It pairs the first payload from set 1 with the first from set 2, the second with the second, and so on.
  • Cluster bomb: Uses multiple payload sets and tests every possible combination of payloads.

For our scenario of testing username/password pairs, Pitchfork is the correct choice. Select Pitchfork from the list.

Once you select Pitchfork, you'll notice that the interface doesn't change much on this screen, but Burp is now prepared to handle two separate payload lists corresponding to the two payload markers you set in the previous step.

Configure Two Separate Payload Lists in the Payloads Tab

In this step, you will configure the two lists of payloads that the Pitchfork attack will use. The first list will contain usernames, and the second will contain corresponding passwords.

Navigate to the Payloads sub-tab within the Intruder tab.

Because you selected the Pitchfork attack type and have two payload positions, you will see a "Payload set" dropdown menu. This allows you to configure each payload list independently.

Configure Payload Set 1 (Usernames):

  1. Ensure the "Payload set" dropdown is set to 1.
  2. The "Payload type" should be "Simple list".
  3. In the "Payload Options" section below, click the Clear button to remove any default items.
  4. Click the Add button and enter the following usernames, one by one:
    • user
    • guest
    • admin
    • test

Configure Payload Set 2 (Passwords):

  1. Now, select 2 from the "Payload set" dropdown.
  2. Again, ensure the "Payload type" is "Simple list".
  3. Click the Clear button to empty the list.
  4. Click the Add button and enter the following passwords, which correspond to the usernames in the first list:
    • userpass
    • guest
    • password123
    • test

You have now configured two distinct payload lists. The Pitchfork attack will pair them in order: (user, userpass), (guest, guest), (admin, password123), and (test, test). The total number of requests will be 4, which is the size of your lists.

Run the Attack and Observe Paired Payload Injection

In this final step, you will launch the attack and analyze the results to see the Pitchfork attack in action.

With the attack type and payloads configured, you are ready to start. In the top-right corner of the Intruder tab, click the "Start attack" button.

A new "Intruder attack (1)" window will open, displaying the results in real-time. Observe the table of results. You will see columns for "Payload 1" and "Payload 2".

Notice how the payloads are paired exactly as you configured them:

  • Request 1 uses user and userpass.
  • Request 2 uses guest and guest.
  • Request 3 uses admin and password123.
  • Request 4 uses test and test.

Now, look at the "Status" and "Length" columns. Most requests will likely have the same status code (e.g., 200) and response length, indicating a failed login attempt. However, one request should stand out. The request with the payload pair admin and password123 is the correct credential set. You should see a different response length for this request, indicating a different server response (e.g., a "Login successful!" message).

Example of expected results:

Request Payload 1 Payload 2 Status Length
1 user userpass 200 450
2 guest guest 200 450
3 admin password123 200 452
4 test test 200 450

By observing this difference, you have successfully identified the valid credentials using a Pitchfork attack. You can now close the attack window.

Summary

In this lab, you have successfully configured and executed a Pitchfork attack using Burp Intruder.

You learned how to:

  • Intercept a web request using Burp Proxy and send it to Intruder.
  • Manually set payload markers on multiple parameter positions.
  • Select the Pitchfork attack type, which is designed for related, multi-parameter fuzzing.
  • Configure two separate and corresponding payload lists for the username and password parameters.
  • Launch the attack and analyze the results to identify anomalies, successfully finding the correct login credentials by observing the paired payload injection.

The Pitchfork attack is a valuable technique for testing scenarios where data in multiple parameters is linked, such as usernames and passwords, or any other paired data sets.