Information Security Asked by Riccardo D on February 13, 2021
is there any way for hydra to understand the correct combination ^USER^ and ^PASS^ in a http-post-form authentication attack based on the length of the body response?
Like in Burpsuite you can look at the length and understand password and username.
So basically how can I setup hydra to look at the length parameter during a http-post-form?
I'm not sure if this is possible to do with Hydra, but I would recommend using ffuf for this.
You can do an HTTP-POST form bruteforce based on length like this:
ffuf -w /path/to/wordlist.txt -X POST -d "username=admin&password=FUZZ" -u https://target/login.php -fl 480
-fl
: tells it to filter out the length you don't want (failed attempt)
FUZZ
: is where it will replace words from the wordlist in the request
Although in this approach the username would be static. A little bash scripting hack would solve that.
Answered by Khalid on February 13, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP