Open in app

Sign in

Write

Sign in

How to check the Brute Force Vulnerability on a Login Page for a web-application

NIKHIL KUMAR GANDLA
3 min readOct 13, 2022
How A Brute Force Attack Works

Steps to download and install the burp suite:

  • Download the burp suite.

Link: https://portswigger.net/burp/communitydownload

  • Finish the installation of the downloaded burp suite in your system.

Steps for configuring the burp suite with the web-browser

  • Configure your Burpsuite to work with an external browser.

Link: https://portswigger.net/burp/documentation/desktop/external-browser-config

Steps to brute force a login page:

  • Open the target “URL” in the web browser.
  • Turn on the Proxy “Intercept” tab in the burp suite.
  • In the open browser enter some arbitrary details into the login page and submit the request.
  • Eg: User name as a “test” & Password as a “test”.
  • The captured request can be viewed in the Proxy “Intercept” tab.
  • Right-click on the request to bring up the context menu.
  • Then click “Send to Intruder”.
  • Go to the Intruder “Positions” tab.
  • Clear the pre-set payload positions by using the “Clear” button on the right of the request editor.
  • Add the “username” and “password” parameter values as positions by highlighting them and using the “Add” button.
  • Change the attack to “Cluster bomb” using the “Attack type” drop-down menu.
  • Go to the “Payloads” tab.
  • In the “Payload sets” settings, ensure “Payload set” is “1” and “Payload type” is set to “Simple list”.
  • In the “Payload options” settings enter some possible usernames.
  • You can do this manually or use a custom or pre-set payload list.
  • Next, in the “Payload Sets” options, change the “Payload” set to “2”.
  • In the “Payload options” settings enter some possible passwords.
  • You can do this manually or using a custom or pre-set list.
  • Click the “Start attack” button.
  • In the “Intruder attack” window you can sort the results using the column headers.

Eg: Sort by “Length” and by “Status”.

  • To confirm that the brute force attack has been successful, use the gathered information (username and password) on the web application’s login page.

You’re done.

Happy Hacking!

Cybersecurity
Technology
Software Engineering

--

--

NIKHIL KUMAR GANDLA

Written by NIKHIL KUMAR GANDLA

32 Followers

Security Re-Searcher

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams