Saturday, March 12, 2016

Using Burp Suite To Attack Website Logins - Video



This video shows you how to use Burp Suite to intercept login form posts, alter them in Burp Suite's Intruder and launch an automated attack that will work against most websites. In the video we attack a website that has an Antiforgery token that is hidden in the form. This, along with a tracking cookie that is submitted with the form prevents the server from even attempting to validate the login if these tokens don't match. This will prevent tools like Hydra from effectively hacking the login.

Here is the code that is run on the server when the Login Form is Posted:

As you can see, the AntiForgeryToken is checked before the server even enters the Login Action. Therefore if this token fails, the server will never even attempt to process the login.

While this video shows a method that will work against most websites, my company designs secure web applications that can mitigate such an attack. If you are interested in learning more about the applications we design, please email Garrett Fogerlie

3 comments:

  1. whats the point of this process. like why are you doing it?

    ReplyDelete
    Replies
    1. i have a question i did something similar i entered invalid email and password and try to login in order to get the details in burpsuite ...
      when i did the attack the "status" and the "length" was all the same
      how can i recognize the correct email and password of the target??

      Delete
    2. @Anonymous, you need to look for some kind of difference. Usually the size is different on good logins. Make sure you use a real name and password with some wrong ones so you can see if there is a difference. If everything is the same, you may be able to have it search the response for a word that is only displayed on a successful login; like Welcome. You'll have to google how to do this, if it is even possible.

      Delete