Hydra http-post-form based on length of the response

Information Security Asked by Riccardo D on February 13, 2021

is there any way for hydra to understand the correct combination ^USER^ and ^PASS^ in a http-post-form authentication attack based on the length of the body response?

Like in Burpsuite you can look at the length and understand password and username.For username jack, the found password is 12345678 based on the different length of the response

So basically how can I setup hydra to look at the length parameter during a http-post-form?

One Answer

I'm not sure if this is possible to do with Hydra, but I would recommend using ffuf for this.

You can do an HTTP-POST form bruteforce based on length like this:

ffuf -w /path/to/wordlist.txt -X POST -d "username=admin&password=FUZZ" -u https://target/login.php -fl 480

-fl: tells it to filter out the length you don't want (failed attempt) FUZZ: is where it will replace words from the wordlist in the request

Although in this approach the username would be static. A little bash scripting hack would solve that.

Answered by Khalid on February 13, 2021

Add your own answers!

Related Questions

Ways to configure a router

3  Asked on December 8, 2021 by user136026


Can firewalls decrypt SSL packets?

3  Asked on November 30, 2021 by iancool


Associate API key with user

3  Asked on November 30, 2021 by brad-stevanus


Polymorphic Analysis

1  Asked on November 23, 2021 by user109889


Getting the hostname of devices in the local lan

0  Asked on November 23, 2021 by gilad-naaman


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP