gutbigo
Doujin Reader
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 2
1000 XP
According to OWASP, Credential Stuffing means:
1- Get any combolist lets say for any website, then enable Proxy or use Chromium Browser from BurpSuite, then go to the site's login page, try to put something in it and send. Get the Request form in the Proxy of BurpSuite. Right click on it and send the request from Proxy tab to Intruder tab
https://i.ibb.co/ydK5SyW/image.png. Then go to payload subtab under the Intruder tab. Pitchfork requires 2 payload so use 1 for username/email and another for password.
https://i.ibb.co/VxSb8Ps/image.pnghttps://i.ibb.co/zJQmtDF/image.png3- Press the attack button and it will iterate through both payloads at once on both fields.
https://i.ibb.co/YNJcq1n/image.pngWell this is just a concept, I only managed to do it in tryhackme rooms but for real life situation. I dont know :| im hoping i might be able to get, but there are other things to consider such as captcha, ip block, max retries/attempts, so thats where proxy comes in which you can change your proxy in which im not sure how to change every few retries like good cracker programs. Although this is just an insight, i hope it can be put to use :|
Meaning we can input combolist and proxies to cause bruteforce attack to the login form of a website. However it will be really slow especially if you are using the Community Edition. I'll be showcase the setup and where to apply.
1- Get any combolist lets say for any website, then enable Proxy or use Chromium Browser from BurpSuite, then go to the site's login page, try to put something in it and send. Get the Request form in the Proxy of BurpSuite. Right click on it and send the request from Proxy tab to Intruder tab
https://i.ibb.co/ydK5SyW/image.png. Then go to payload subtab under the Intruder tab. Pitchfork requires 2 payload so use 1 for username/email and another for password.
https://i.ibb.co/VxSb8Ps/image.pnghttps://i.ibb.co/zJQmtDF/image.png3- Press the attack button and it will iterate through both payloads at once on both fields.
https://i.ibb.co/YNJcq1n/image.pngWell this is just a concept, I only managed to do it in tryhackme rooms but for real life situation. I dont know :| im hoping i might be able to get, but there are other things to consider such as captcha, ip block, max retries/attempts, so thats where proxy comes in which you can change your proxy in which im not sure how to change every few retries like good cracker programs. Although this is just an insight, i hope it can be put to use :|