Username and Password Bruteforcing with BurpSuite
In authentication sites, like login pages, we can use Burp Suite to make a brute-force attack using dictionaries or well-known usernames and passwords.
Intercept a petition to the target endpoint using the Proxy tab, right-click the petition, and hit Send to Intruder
Go to the Intruder tab, then select the target field to be changed and hit the Add button
Check that the desired field is surrounded by symbols which means it has been selected properly. Then in the right pane,l add the desired payloads, and hit the Start Attack button on top
Another window will be displayed with the petitions and their values. Here, the results can be compared to check if we receive different responses, the length of them, or other interesting values
Last updated