Brute Force Attacks

Brute Force Attacks involve systematically trying all possible combinations of credentials (e.g., passwords or encryption keys) until the correct one is found.

This can lead to unauthorized access to accounts or systems if strong passwords or protective measures are not in place.

Implement account lockout mechanisms, use multi-factor authentication (MFA), enforce strong password policies, and employ rate limiting or CAPTCHA to prevent rapid, repeated login attempts.

Sniper Attack

The example below is based on PostSwigger's Username enumeration via different responses lab.

We can perform username enumeration by performing a BFA (Figure 1) and then checking if any of the responses' Content-Length stands out (Figure 2).

Note that the words username and password are both 8 characters long. The difference below is based on the words Invalid and Incorrect . If both used the same word, then we could try a time-based BFA, as there would be no difference in Content-Length.

Figure 1: Performing a BFA against usernames.
Figure 2: Performing a BFA against a user's password.

Clusterbomb Attack

The example below is based on PostSwigger's Username enumeration via subtly different responses lab.

Instead of brute-forcing the username and the password separately, we can also perform a Cluster bomb attack against both simultaneously (Figure 3).

Figure 3: Performing a Cluster bomb BFA against both usernames and passwords.

Pitchfork Attack

ffuf -mode pitchfork -u http://vapi.apisec.ai/vapi/api2/user/login -w emails:EMAIL,passwords:PASS -X POST -H 'Content-Type: application/json' -d '{"email":"EMAIL","password":"PASS"}' -c -fc 401

Password Spray

The example below is based on TCM's Practical Bug Bounty course.

This time the web application has an account lockout policy that is implement after five failed login attempts (Figure 4).

Figure 4: The web application's lockout policy.

To avoid locking out accounts, instead of brute-forcing the login page, we can perform a password spray attack by using a username list, such as the top-usernames-shortlist.txt, with just four common passwords at a time taken from a list such as best15.txt. This will result in four login attempts for each account, one shy of lockout (Figure 5).

Typically, the lockout policy resets after a period of time, thus, we would have to wait for it before trying the next set of four passwords. In this case, we can just reset the database by visiting the /init.php directory.

Figure 5: Performing a password spray attack.

Repeating the password spray attacking using the third set of passwords, we successfully log in as admin (Figure 6).

Figure 6: Successfully logging in as admin.
PreviousBroken Reset LogicNextRate Limiting

Last updated

Was this helpful?