TransWikia.com

Hydra http-post-form based on length of the response

Information Security Asked by Riccardo D on February 13, 2021

is there any way for hydra to understand the correct combination ^USER^ and ^PASS^ in a http-post-form authentication attack based on the length of the body response?

Like in Burpsuite you can look at the length and understand password and username.For username jack, the found password is 12345678 based on the different length of the response

So basically how can I setup hydra to look at the length parameter during a http-post-form?

One Answer

I'm not sure if this is possible to do with Hydra, but I would recommend using ffuf for this.

You can do an HTTP-POST form bruteforce based on length like this:

ffuf -w /path/to/wordlist.txt -X POST -d "username=admin&password=FUZZ" -u https://target/login.php -fl 480

-fl: tells it to filter out the length you don't want (failed attempt) FUZZ: is where it will replace words from the wordlist in the request

Although in this approach the username would be static. A little bash scripting hack would solve that.

Answered by Khalid on February 13, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP