I need to test if my website registration form can have problems with brute force attacks, because this form requires an invite code. Is there any tool for this kind of test?
Asked
Active
Viewed 912 times
0
-
Hydra can help with this: http://sectools.org/tool/hydra/ – Jeroen Sep 03 '15 at 06:09
-
What do you consider problems? Do you want to make sure your codes are resistant to being easily found through brute force attacks? Do you want to make sure your registration form includes a captcha or other mechanism to avoid automated attack altogether? – PwdRsch Sep 03 '15 at 20:02
-
I don't want to add a captcha (at least for the first try), as some users leave the page when they find a captcha. I wanted to make sure the app/server would resist a DoS attach or somehow allow a user to sign up with a wrong invite code. – juliano.net Sep 04 '15 at 14:11
2 Answers
2
I'm positive there are quite advanced tools available for this. Form fuzzers come immediately to mind.
If you're just trying to check for what happens with 10,000x form posts come in, you might be able to script something fairly trivially.
I haven't tested this, but you might have luck with something similar to:
for ((i=1; i<= 100; i++)); do
curl -s "localhost:1337" -c "cookiejar" -d "user=foo&pass=bar"
done
Edit: I wanted to circle back on this w/a couple of links: You can find all of these on OWASP's Testing for Brute Force page which has a lot of information on what you're trying to accomplish.
- Bruter: http://sourceforge.net/projects/worawita/
- THC Hydra: http://www.thc.org/thc-hydra/
- John the Ripper: http://www.openwall.com/john/
- Brutus: http://www.hoobie.net/brutus/
- Basic Auth Bruteforcer: https://market.android.com/details?id=com.firebird.basicauthbruteforcer
- Cain & Abel: http://www.oxid.it/cain.html
Note: Chrome gave me some trouble when trying to go to thc.org. If you want to get past all that, just see the Hydra GitHub Project instead.
Mike G
- 136
- 5
-
1Don't forget [Burp Suite](https://portswigger.net/burp/) and [OWASP ZAP](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)! – Noir Sep 03 '15 at 08:55
-
Bruter doesn't allow you to specify which form field will be used on brute force attack. I could not use Brutus because of the antivirus. Basic Auth Bruteforcer is not available on Google Play. – juliano.net Sep 03 '15 at 13:30
1
Also Burp https://portswigger.net/burp/
While you're at it - although ZAP (Zed Attack Proxy) is not a tool specifically designed for dictionary attacks - it is a swiss army knife for scanning for Web site vulnerabilities. Quite easy to get up and running and it can proxy through SSL pages.
Recently moved from Google Code to GitHub https://github.com/zaproxy/zaproxy
Danny Lieberman
- 388
- 2
- 6