How to brute force Web Application Login Form by using Burp Suite

Share Button

Unlike any other web application attack which targets vulnerabilities in web applications, brute force attack targets Authentication algorithm of web application. It tries to guess weak or common Passwords like “pass@123” and Username like “admin”

Here we will brute force Word Press Admin Login Page by using Burp suite. Before we start let’s get introduced with Burp Suite.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Now Setup your burp suite with Firefox or any other browser you are using. Enter any password into password field. Most of the time user name would be admin, so keep it same.

1-LoginPage

Once you hit enter, you get the intercepted session into the Burp Suite. Right Click on it and click “Send to Intruder”

2

Now, Go to Intruder Tab and click on Positions. Here we will set the values for our target parameter which is PWD for password. Select the highlighted values and click clear. Except “PWD” parameter, this is containing Password. Instead of clearing just remove the Password value. Now Screen will look like given below.

Cleared_positions

Now Go to “Payloads” Tab and Paste your Password List in “Payload Options [Simple List]”.

Payload

Now Click on Intruder and start the Attack.

start Attack

It will start brut forcing each password from the list against admin user and if the correct Password is in your wordlist, you will get it once the attack finished.

Here we got 302 HTTP redirect for successful Login with password “#$%^&p&3a”. Check the screen below

Final

How to prevent Brute Force Attack:

1) Do not use common usernames.

As most of the web admin uses common user names like “admin”, attackers always target these users first. So it is recommended to not to use common user names.

2)Do not use common/easy passwords.

Users must set Hard and complex passwords always. As we demonstrated it is very easy to guess and brute force the common passwords with wordlist. Web admin should set the policy to enforce the users to set complex passwords which includes alpha-numeric and extra characters.

3)Uses of CAPTCHA

A completely automated public Turing test to tell computers and humans apart, or CAPTCHA, is a program that allows you to distinguish between humans and computers. First widely used by Alta Vista to prevent automated search submissions, CAPTCHAs are particularly effective in stopping any kind of automated abuse, including brute-force attacks.

One Comments

  • Jack reply

    Your post is valuable , thanks for the info

    November 11, 2016

Leave a comment