Launch a Web Application Bruteforce Using Burp Suite

June 22, 2015 | Views: 6427

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello to all Cybrary Members.

This is my process on how to launch a bruteforce attack on any web application. Today, web applications are using a defense mechanism we called Authentication and using Login Pages. I’m going to teach you how this bruteforce attack by using a simple proxy tools.



1. Burp Suite (click here to download)

2. Worldlist (search in Google for the username and password Wordlist)

3. Common sense


Step 1: Ensure the Burp Site is correctly configured in the browser. Perform this step to configure:

a. Open Burp Suite>Proxy Tab>Option>Proxy Listeners section. You should see the table and “” showing the interface column. Check the checkbox.


Step 2: Browser configuration. Follow this step:

a. Open any browser and change your browser’s proxy host address to default and port 8080 for both HTTP and HTTPS protocols.


Step 3: Intercept is ON: Follow this step:

a. In the Proxy tab and Intercept tab, click the Intercept On button.


Step 4: Login Page:

a. Go to the login page of the target site and input “test” in the username and password fields. Click enter to submit.


Step 5: Capture the Request:

a. After hinting enter, you can view the Intercept Tab

b. Right-click

c. Choose Send to Intruder

Note: The Intruder tab highlights; you can navigate this tab.


Step 6: Go to Intruder Tab:

a. Clear the pre-set payload positions by clicking the clear button at right corner.

b. Highlight the username and password payload position to add them.

c. Change the attack type to Clusterbomb.


Step 7: Set the Payploads in Username

a. Go to payloads

b. Set the Payload Set to “1” and type to “Simple List”

c. In payload option, enter a possible username from the Wordlist.


Step 8: Set the Payploads in Password

a. Change the Payload Set to “2”

b. In Payload option, enter a possible password from Wordlist.


Step 9: Start the Attack

a. Click the menu Intruder in the upper portion.

b. Click Start Attack


Step 10: Find the Result

a. In Intruder attack window, the tables provide interesting output from the attack.

b. By viewing the response window, we can see if there’s a successful logged in user.


Step 11: Confirm

a. You can confirm by using the information you see and given by Burp Suite.



Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Nice write up!

  2. Does this also work with BurpSuite Free?

  3. Nice job man!

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?