WAP: Bruteforcing an HTTP forms auth login page using Burpsuite

You need to firstly make sure that your proxy settings are correctly set to the localhost with port 8080:

Open up Burpsuite and ensure that the intercept option is turned on:


Now open up the website you are targeting and type in anything in the username and password fields and clicking on sign in (you just want to intercept the request – it will make sense shortly):


Your request will be intercepted by Burp, so if you are not seeing anything on the webpage – it’s normal. Go back to Burp to see the details of the request. Right click in the RAW window and click on Send to Intruder (or press CTRL+I). You will see the Intruder tab light up – click on it.

Now you need to select your payload positions and attack type:


Make sure you select cluster bomb as your attack type and then click on the payloads option. The 1st payload set needs to be a simple list as this will represent an email/username as seen above: “email=$aa$”, the second will be your password (password=$a$) which needs to be set to brute forcer. (In this example the usernames are known and are entered manually from the ADD field, but a user list could also be uploaded using the LOAD option. Proper foot-printing and reconnaissance of the target will help you when compiling a custom list)



Once you are satisfied with the options you have set click on Intruder (the TOP button) and start attack:


Eventually your brute force attack should succeed and will reward you with the correct username/password combination (if you are using a free version of burpsuite then you can expect to wait about an hour for this to finish).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s