Brute Force Attacks
Last updated
Was this helpful?
Last updated
Was this helpful?
This can lead to unauthorized access to accounts or systems if strong passwords or protective measures are not in place.
Implement account lockout mechanisms, use multi-factor authentication (MFA), enforce strong password policies, and employ rate limiting or CAPTCHA to prevent rapid, repeated login attempts.
The example below is based on PostSwigger's lab.
We can perform username enumeration by performing a BFA (Figure 1) and then checking if any of the responses' Content-Length stands out (Figure 2).
Instead of brute-forcing the username and the password separately, we can also perform a Cluster bomb attack against both simultaneously (Figure 3).
This time the web application has an account lockout policy that is implement after five failed login attempts (Figure 4).
Typically, the lockout policy resets after a period of time, thus, we would have to wait for it before trying the next set of four passwords. In this case, we can just reset the database by visiting the /init.php directory.
Repeating the password spray attacking using the third set of passwords, we successfully log in as admin (Figure 6).
The example below is based on PostSwigger's lab.
The example below is based on TCM's course.
To avoid locking out accounts, instead of brute-forcing the login page, we can perform a password spray attack by using a username list, such as the , with just four common passwords at a time taken from a list such as . This will result in four login attempts for each account, one shy of lockout (Figure 5).
admin.
