I want to test some mechanisms of my website when the password of a single user is entered a lot of times in a short time incorrectly in the login form. Therefore I got Hydra (for windows) on GitHub.
I have the following information:
- Host: 127.0.0.1 (as I test locally)
- Method: https-form-post (as the site uses HTTPS)
- URL: /login
- Parameters for the form: username=admin, password=from the password list, submit_login (boolean)
- I want to use a password file (password.txt)
When the login doesn't work, a page is shown, which html title is "Failed login" - however I'm not sure how to tell this to Hydra.
So I tried the following but get the result that all passwords work:
hydra -l admin -P password.txt 127.0.0.1 https-post-form "/login:username=^USER^&password=^PASS^&submit_login&Login:Failed login"
I also tried the "success" version with S=Welcome back ... then the correct password isn't identified as correct.
Where is my error?
