Saturday, March 12, 2016

Using Burp Suite To Attack Website Logins - Video

This video shows you how to use Burp Suite to intercept login form posts, alter them in Burp Suite's Intruder and launch an automated attack that will work against most websites. In the video we attack a website that has an Antiforgery token that is hidden in the form. This, along with a tracking cookie that is submitted with the form prevents the server from even attempting to validate the login if these tokens don't match. This will prevent tools like Hydra from effectively hacking the login.

Here is the code that is run on the server when the Login Form is Posted:

As you can see, the AntiForgeryToken is checked before the server even enters the Login Action. Therefore if this token fails, the server will never even attempt to process the login.

While this video shows a method that will work against most websites, my company designs secure web applications that can mitigate such an attack. If you are interested in learning more about the applications we design, please email Garrett Fogerlie