Hydra Failure String Problem

I am trying to hack myself (searching for my login form vulnerabilities). So I'm trying Hydra for the first time and I used this command: ```hydra -L user.txt -P pass.txt -s 8080 "my ip" "username=^USER^&passsword=^PASS^":"Wrong"``` But it didn't work because of the failure string... Because I changed it to a string from the success page and it's still the same thing. Sometimes it gives me that all the entries are correct and other times it gives that none is correct. I need help please... Whether or not you're telling the truth or just want help to crack somebody else's Website, my answer would probably disappoint you: Hydra checks only the strength of your passwords and is not about vulnerabilites at all. All interesting parts like XSS, SQLI, RCE, etc. are left out. Web forms usually don't follow any standards, so using hydra on it is not as straight forward as copy and paste the first example you find on the internet. The Problem might not (only) be the failure string, but also your parameters. If you implemented the form, you should know them better than anybody else here. Giving you the correct parameters is not only impossible without recon the page of interest, but would also be wrong. ;) Anyway, the best way is to either study about web penetration testing yourself (which is a long and hard but fun way) or to hire a professional pentester. I'm testing the form on my IP... Can you take a look here ? 197.3.244.99:8080 take a look at these links: [https://insidetrust.blogspot.com.br/2011/08/using-hydra-to-dictionary-attack-web.html](http://insidetrust.blogspot.com.br/2011/08/using-hydra-to-dictionary-attack-web.html)[https://www.youtube.com/watch?v=w\_YaZGIZ0k0](https://www.youtube.com/watch?v=w_YaZGIZ0k0)[http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/](http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/)[http://security.stackexchange.com/questions/60755/cracking-a-web-form-based-logon-with-hydra](http://security.stackexchange.com/questions/60755/cracking-a-web-form-based-logon-with-hydra)[http://security.stackexchange.com/questions/53353/hydra-https-form-post](http://security.stackexchange.com/questions/53353/hydra-https-form-post)[https://deadpackets.wordpress.com/2013/08/28/brute-force-http-em-forms-com-hydra/](https://deadpackets.wordpress.com/2013/08/28/brute-force-http-em-forms-com-hydra/)[https://www.owasp.org/index.php/Testing\_for\_Brute\_Force\_(OWASP-AT-004)](https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004))[https://blog.g0tmi1k.com/dvwa/bruteforce-low/](https://blog.g0tmi1k.com/dvwa/bruteforce-low/)[http://blog.pusheax.com/2014/01/dictionary-and-brute-force-attack-using.html](http://blog.pusheax.com/2014/01/dictionary-and-brute-force-attack-using.html)[https://www.google.com.br/#q=hydra+brute+force+forms](https://www.google.com.br/#q=hydra+brute+force+forms)It might help.:) @firebitsbr I am trying to hack myself Maybe this will help you: https://www.owasp.org/index.php/Testing\_for\_Brute\_Force\_(OWASP-AT-004) (There is an example with hydra. I guess you use it wrong...)