Ready to Start Your Career?

Launch a Web Application Bruteforce Using Burp Suite

fr4nc1stein s profile image
By: fr4nc1stein
June 22, 2015
Perform this Web Application Bruteforce in 11 Steps using Burp Suite - CybraryHello to all Cybrary Members.This is my process on how to launch a bruteforce attack on any web application. Today, web applications are using a defense mechanism we called Authentication and using Login Pages. I'm going to teach you how this bruteforce attack by using a simple proxy tools. Requirements:1. Burp Suite (click here to download)2. Worldlist (search in Google for the username and password Wordlist)3. Common sense Step 1: Ensure the Burp Site is correctly configured in the browser. Perform this step to configure:a. Open Burp Suite>Proxy Tab>Option>Proxy Listeners section. You should see the table and "" showing the interface column. Check the checkbox. Step 2: Browser configuration. Follow this step:a. Open any browser and change your browser's proxy host address to default and port 8080 for both HTTP and HTTPS protocols. Step 3: Intercept is ON: Follow this step:a. In the Proxy tab and Intercept tab, click the Intercept On button. Step 4: Login Page:a. Go to the login page of the target site and input "test" in the username and password fields. Click enter to submit. Step 5: Capture the Request:a. After hinting enter, you can view the Intercept Tabb. Right-clickc. Choose Send to IntruderNote: The Intruder tab highlights; you can navigate this tab. Step 6: Go to Intruder Tab:a. Clear the pre-set payload positions by clicking the clear button at right corner.b. Highlight the username and password payload position to add them.c. Change the attack type to Clusterbomb. Step 7: Set the Payploads in Usernamea. Go to payloadsb. Set the Payload Set to "1" and type to "Simple List"c. In payload option, enter a possible username from the Wordlist. Step 8: Set the Payploads in Passworda. Change the Payload Set to "2"b. In Payload option, enter a possible password from Wordlist. Step 9: Start the Attacka. Click the menu Intruder in the upper portion.b. Click Start Attack Step 10: Find the Resulta. In Intruder attack window, the tables provide interesting output from the attack.b. By viewing the response window, we can see if there's a successful logged in user. Step 11: Confirma. You can confirm by using the information you see and given by Burp Suite. Thanks!
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry