Dictionary Based Bruteforcing

Open burpsuite

Start monitoring requests

Login with incorrect password and see the response

Login with correct password and see the response

Correct one has greater response length as userinfo is sent back too

Incorrect one smaller response size as only error is shown

Send login request (where username and password is sent to login.php) to Burp Intruder

Remove all $$ and add them to username and password parameter value using add button

username=$test$&password=$test$

Choose attack type clusterbomb

Goto payloads and enter sample usersnames in payload 1

Sample passwords in payload 2

Start the attack

Sort output by response length, ones with higher length will be correct credentials

PreviousDictionary Based Brute Force AttacksNextLogical Bruteforcing

Last updated