WebApp Sec mailing list archives
Web form brute force with THC-Hydra... bug?
From: Danett song <danett18 () yahoo com br>
Date: Tue, 27 Feb 2007 17:13:48 -0300 (ART)
Yo guys, I seen in Owasp manual they indicate thc-hydra to brute force web form, so I solved to try it. My post request is similar to it: https://TheIp/seguro/minhaconta/login_minhaconta.asp?strEmail=USER&strSenha=PASS&I1.x=8&I1.y=10&Login=ON&Redireciona= So if I enter a correct credential I get the following: Senha Incorreta. Por favor, verifique. So If I enter a wrong credential I get the following: O e-mail ou Cpf informado não está cadastrado! Por favor, verifique. However the big trick is that the web system always return this messages in a new window (via a alert() in java script which isn't in the body of login_minhaconta.asp) and then back to the web login form, so appear that THC-Hydra is not able to recoganize it and always fail. $ hydra -L users.txt -p test33333 TheIp https-post-form "/seguro/minhaconta/login_minhaconta.asp:strEmail=^USER^&strSenha=^PASS^&I1.x=8&I1.y=10&Login=ON&Redireciona=:Cpf" Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2007-02-27 02:20:17 [DATA] 6 tasks, 1 servers, 6 login tries (l:6/p:1), ~1 tries per task [DATA] attacking service http-post-form on port 443 [STATUS] attack finished for TheIp (waiting for childs to finish) [443][www-form] host: 127.0.0.1 login: nonexistentaccount () hotmail com password: test33333 [443][www-form] host: 127.0.0.1 login: danett18 () yahoo com br password: test33333 [443][www-form] host: 127.0.0.1 login: fakeone () domain com password: test33333 [443][www-form] host: 127.0.0.1 login: blablabla () game com password: test33333 [443][www-form] host: 127.0.0.1 login: validaccount () hotmail com password: test33333 [443][www-form] host: 127.0.0.1 login: fakenonexistent () microsoft com password: test33333 Hydra (http://www.thc.org) finished at 2007-02-27 02:20:21 As you can see it say all credentials are true, while only danett18 () yahoo com br with pass test33333 is correct. If i change the "Cpf" in the command by "e-mail" it will return that no one credential is valid. Well, I belive it's a bug with web form authentication that use new window with popup, i'm right? Or i'm making something wrong? I apreciate your reply. Thank you, Daniel. __________________________________________________ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHe --------------------------------------------------------------------------
Current thread:
- Web form brute force with THC-Hydra... bug? Danett song (Feb 28)