Hydra http-post-form based on length of the response
Information Security Asked by Riccardo D on February 13, 2021
is there any way for hydra to understand the correct combination ^USER^ and ^PASS^ in a http-post-form authentication attack based on the length of the body response?
Like in Burpsuite you can look at the length and understand password and username.
So basically how can I setup hydra to look at the length parameter during a http-post-form?
One Answer
I'm not sure if this is possible to do with Hydra, but I would recommend using ffuf for this.
You can do an HTTP-POST form bruteforce based on length like this:
ffuf -w /path/to/wordlist.txt -X POST -d "username=admin&password=FUZZ" -u https://target/login.php -fl 480
-fl: tells it to filter out the length you don't want (failed attempt)
FUZZ: is where it will replace words from the wordlist in the request
Although in this approach the username would be static. A little bash scripting hack would solve that.
Answered by Khalid on February 13, 2021
Add your own answers!
Related Questions
Hardware components based on which to generate password
2 Asked on December 10, 2021 by geo-m
What are the prerequisites for cloning a Trusted Platform Module (TPM), and how does that affect security?
0 Asked on December 10, 2021
Protecting firmware .bin from reverse engineering
3 Asked on December 8, 2021 by ddbe
Does HTTP/2 prevent security vulnerabilites like CRLF injection?
1 Asked on December 8, 2021 by dipesh-sunrait
PMK is what prevent to generate the PTK and decrypt the traffic?
2 Asked on December 4, 2021 by loopofnegligence
Is this event a security concern: Windows 10: Event 360, User Device Registration?
1 Asked on December 4, 2021
Smart card + GnuPG: what is stored in my keyring/how to adopt smart card?
5 Asked on December 2, 2021 by askford
If a hacker were to obtain a shipping tracking number what could be compromised?
6 Asked on December 2, 2021
Can firewalls decrypt SSL packets?
3 Asked on November 30, 2021 by iancool
Associate API key with user
3 Asked on November 30, 2021 by brad-stevanus
Trusting CA Certificates by Thumbprint
1 Asked on November 30, 2021 by houtanf
Device authentication, common method
1 Asked on November 28, 2021
Should I contact the manufacturer if their product allows access to other users’ location information?
10 Asked on November 25, 2021 by lil-bits
What are the roles of the “PACKAGER” in a digital rights management system?
1 Asked on November 25, 2021
How exactly can an infected Samsung TV record private conversations in a room?
2 Asked on November 23, 2021
Getting the hostname of devices in the local lan
0 Asked on November 23, 2021 by gilad-naaman
Ask a Question
Get help from others!
Recent Answers
- Peter Machado on Why fry rice before boiling?
- Jon Church on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- haakon.io on Why fry rice before boiling?
Recent Questions
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?
- Does Google Analytics track 404 page responses as valid page views?