hydra_notes icon indicating copy to clipboard operation
hydra_notes copied to clipboard
verified publisher icon gnebbia

http-post-form with json payload

Open tuxerrante opened this issue 3 years ago • 2 comments

Hi, I'm not able to test my website since it is a javascript front-end expecting a json payload through a POST and answering with another json message in case of error. In my login page there is only a password field to fill, without even a username needed.

The only example I've found on the web is from 2014 https://security.stackexchange.com/questions/57839/hydra-bruteforce-and-json

Do you know a better way to do that?

tuxerrante avatar Aug 10 '22 06:08 tuxerrante

Ok, so a way to tackle this could be the following. I would advice the usage of an HTTP proxy such as OWASP ZAP or Burp Suite to capture the HTTP requests happening when you login and when you are trying to use hydra.

So I would do the following:

  1. Capture through the proxy the HTTP request when you login normally from your web browser and save it;
  2. Capture through the proxy the HTTP request when you are trying to bruteforce with hydra and save it;
  3. At this point you can compare the requests and understand what you are doing wrong with hydra.

I think this could be the first step to understand how we should tune hydra for your specific scenario.

gnebbia avatar Aug 15 '22 08:08 gnebbia