HttpWaf Login Bruteforce

1 minute read

  1 minute read

Http Login Bruteforce python script with WAF fingerprint and Web Protection fingerprint

Prerequisite

  • request file from burp suite or any tool request intercept
  • CREDENTIALFILE in pair of username:password format
  • username field
  • password field
  • invalid message

WAF Fingerprint Methodology

  • based on request or response headers.
  • response page content.

Features

  • Read request file from burp suite or any tool request intercept
  • WAF fingerprint:
    • Mod_Security
    • WebKnight
    • Cloudflare
    • FortiWeb
    • Imperva Incapsula
    • GoDaddy
    • ASP.NET Generic
  • Web Protection fingerprint:
    • Clickjacking
    • CloudFlare protection
    • CSRF token

Tested on

  • http://vulnweb.lab.rz.my/user/login.php
  • https://grabme.herokuapp.com/target/

Installation

  1. Python 3
  2. git clone https://github.com/faisalfs10x/HttpWaf-Login-Bruteforce
  3. run ‘bash install.sh’ to auto-install module in requirements.txt

Usage

usage: httpwaf.py [-h] -r REQUESTFILE -c CREDENTIALFILE -u USERFIELD -p PASSFIELD -i INVMSG [-V]

Parallel Dictionary Login

optional arguments:

      -h, --help            					show this help message and exit
      -r REQUESTFILE, --requestfile REQUESTFILE  		path to requestfile.txt format from burpsuite request intercept is compulsory!!
      -c CREDENTIALFILE, --credentialfile CREDENTIALFILE  	path to credentialfile.txt in pair of username:password format
      -u USERFIELD, --userfield USERFIELD  			username field
      -p PASSFIELD, --passfield PASSFIELD  			password field
      -i INVMSG, --invmsg INVMSG  				invalid message in double quoted string
      -V, --version         					show program's version number and exit

Source code:

Output

enter image description here enter image description here