Spraying

#Example of spraying or stuffing accounts and passwords against a website

Launch Burpsuite, intercept on, Proxy > Intercept

enable Foxyproxy

on website enter account and password

Burp > Intercept > Raw - Right click and 'send to intruder'

Burp > Intruder > 1 or 2 > Positions

Clear $

select email address and password parameters and 'Add$'

attack type > Pitchfork - user to password one to one mapping

attack type > clusterbomb - each password is tried against each user

Payloads > 1 > paste in email address's

Payloads > 2 > past in passwords

Start attack