Password brute-forcing
The tools discussed in the Web Fuzzing section can also be utilized for a web-based password brute-force attack.
Example with ffuf (content-type application/json)
Suppose we want to brute-force a POST request to the URL: http://vuln-website.com/user/login. Assuming that the server retrieves the data in a JSON format, with the fields: username (test) and password. The general format of the request will be:
$ ffuf -X POST -H "content-type:application/json" -d <data> -w <password_wordlist> -u http://vuln-website.com/user/login The data field can be replaced with the following:
$ ffuf ... -d "{\"username\":\"test\",\"password\":\"FUZZ\"}"
# OR
$ ffuf ... -d '{"username":"test","password":"FUZZ"}'Note: The escaping of the double quotes with \ symbol in the first example, the use of single quotes in the second example, and the FUZZ keyword.
Example with ffuf (content-type application/x-www-form-urlencoded)
$ ffuf -X POST -H "content-type:application/x-www-form-urlencoded" -d "username=test&password=FUZZ" -u ...Last updated