Password brute-forcing

The tools discussed in the Web Fuzzing section can also be utilized for a web-based password brute-force attack.

Example with ffuf (content-type application/json)

Suppose we want to brute-force a POST request to the URL: http://vuln-website.com/user/login. Assuming that the server retrieves the data in a JSON format, with the fields: username (test) and password. The general format of the request will be:

$ ffuf -X POST -H "content-type:application/json" -d <data> -w <password_wordlist> -u http://vuln-website.com/user/login

The data field can be replaced with the following:


$ ffuf ... -d "{\"username\":\"test\",\"password\":\"FUZZ\"}"
# OR
$ ffuf ... -d '{"username":"test","password":"FUZZ"}'

Note: The escaping of the double quotes with \ symbol in the first example, the use of single quotes in the second example, and the FUZZ keyword.

Example with ffuf (content-type application/x-www-form-urlencoded)

$ ffuf -X POST -H "content-type:application/x-www-form-urlencoded" -d "username=test&password=FUZZ" -u ...

Previousuro NextBurp Suite (Community)

Last updated 11 months ago

hashtagExample with ffuf (content-type application/json)

hashtagExample with ffuf (content-type application/x-www-form-urlencoded)

Example with ffuf (content-type application/json)

Example with ffuf (content-type application/x-www-form-urlencoded)