0

I am doing pentesting for a web application, but I do not know if am using the Tamper Data add on on mozilla correctly.

Could anyone explain how to get the following parameters, and where do I need to look ?

When doing the login, I would need to get these things identified:

Postback page

Post Parameters

Failed attempt unique text

Regards.

I try to do the following.

From a web application

www.mysite.com/dologin.php

Then I get the pop-up window requesting the login credentials

I try two options

A) A succesfull login with the correct username and password

B) A failed login with a correct username but with a wrong password

Reagrds.

ORP
  • 33
  • 1
  • 1
  • 6
  • 1
    TamperData is crap, use BURP or ZAP. – rook Dec 26 '14 at 15:24
  • Could you explain the steps you are taking with Tamper Data and exactly what you see when it doesn't work as expected? What do you mean by "failed attempt unique text"? You want to do something with the username and password that failed the login? Since you used the term "Postback", I guess you have a framework that uses an intermediate page to 'postback' the login credentials to the original page for handling. So, please describe the setup you have (what framework?) – mcgyver5 Dec 26 '14 at 15:30

1 Answers1

0

Based on your list, I suspect you are trying to follow this tutorial on using hydra to brute force http forms. If so, go back and read the instructions again. It says to use Tamper Data to capture the Post parameters. Like Rook said, you are better off with Burp as it allows you to cut and paste the raw request.

To do that:

Click Start Tamper Click Start Tamper (then submit the form in your browser...) Click Tamper Click Tamper

There are post params There they are.

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
  • Yes you are correct i am doing this as the mentioned example but no clue how to get the data using Tamper. It is not straight forward where the information is "written" when tampering. – ORP Dec 26 '14 at 16:26
  • I updated answer to show how to see the data – mcgyver5 Dec 26 '14 at 16:51
  • Could you please give the example of the syntax with this example of your webpage. – ORP Jan 02 '15 at 15:27
  • ORP, I am not sure what you are asking for. – mcgyver5 Jan 02 '15 at 16:30
  • As in the mentioned in the website, the syntax of the failure to put it in Hydra. The redirect URL, contains "%" as symbol. Still I do not understand if this URL with % symbols is the input for the hydra or not. Thanks. – ORP Jan 02 '15 at 16:39
  • the % symbols are just encoding a url (%3A is encoded form of ":", %2F is a slash) – mcgyver5 Jan 02 '15 at 23:43
  • and that redirect URL is just one of my parameters, you need to capture your own which will be different. – mcgyver5 Jan 03 '15 at 02:27
  • Yes, it is clear thanks, in my site I have the same as you have. Shall we continue the discussion by Email. It is short with the space to describe the problem here as a comment. – ORP Jan 03 '15 at 09:55