1

How can one brute force a website using HTTP Basic authentication using metasploit which uses XHR in background? I am getting error "No URI found that asks for HTTP authentication". Relevant headers are as below:

Authorization: Basic ###########
X-Requested-With: XMLHttpRequest

I did not found any relevant Metasploit options to set specific to XHR while using /auxiliary/scanner/http/http_login. Also site uses Ajax/Javascript for form submission.

Also when you visit the http://hostname:port it redirects to http://hostname:port>/#/signin, is this # here of any significance?
P.S. I am using URI_PATH = /#/signin as the option with no luck.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
  • This is fascinating, I have no clue how my actual question asked on Security Stack Exchange, got here http://wordpressthemes.review/how-to-brute-force-http-basic-authentication-requested-with-xhr/ Are people allowed to do that? – Krishna Pandey Jan 25 '16 at 05:12
  • 1
    Krishna - discussed at http://meta.stackexchange.com/q/200177/154443 – Rory Alsop Jan 25 '16 at 13:18
  • 1
    You could edit `/usr/share/metasploit-framework/modules/auxiliary/scanner/http/http_login.rb` to include the extra header with the request, or better still you could make a custom module from it with the option to add the header. – SilverlightFox Jan 26 '16 at 09:24

1 Answers1

3

Metasploit's http_login module doesn't support arbitrary HTTP headers. If the site only responds with the XHR header included, then you might want to use a more versatile tool like hydra.

# indicates the beginning of the URI fragment. This isn't a part of the URI used for logins, but is typically used to pass options to the front-end web framework.

David
  • 15,814
  • 3
  • 48
  • 73
  • I have used Hydra to brute-force http-basic authentication with www-authenticate header, will try for XHR one as well and let you know. Thanks. – Krishna Pandey Jan 25 '16 at 18:26