I am trying to develop a pentest on a product for a customer that is really interested in implementing good security.
Using tamper data I get this information when clicking on the "Login" button in the login page using "security" as user and "fails" as the password.
Method: POST Status: 401 Content type: application/json URL: http://ift.tt/1vhBCr8 Host: testing.product.company.com User-Agent: User-Agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: Accept=application/json, text/plain, */* Accept-Language: Accept-Language=es-MX,es-ES;q=0.8,es-AR;q=0.7,es;q=0.5,en-US;q=0.3,en;q=0.2 Accept-encoding: Accept-Encoding=gzip, deflate Authorization: Authorization=Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJleHAiOjE0MjM2ODk3NzQsInVzZXJuYW1lIjoidGVzdFFBIiwiaWF0IjoiMTQyMzYwMzM3NCJ9.ohOVEggMzuhz1e-kzo14uKifXQkgMM6fWQIpTTmOwpG_vZyMvRME8gtOqU3pIKqADPsmmQJQ_S5i7NMu8Mi-Y1gB5YdEnS-zTYttHNv-LEmgONYrBIow9xzEh8sRZc3AYEJNNmcsOqjgSHUIvzUpDfqJtaqsFn6rbkCI_8V6uJTEuKZJQlDgCNNXgRWLhuKtKJMfNQ14gGwtCCUue6RAT2LWV3ub-VpLBw655pHR21peZT1teuoShM22xAQGvLZQ58WMv_rpGyNp396FoqLO76lonqPUduLOEXumco0WMcn9tDgAEf5Iulr5HlXThAsJxQsiX6SDmC9B0jg2EMUgp1rXBmFAuzHh-SsgoyAqa4ROoikS2tGeus7YagJzG3RkmqqRWre1O3zE4RifhEWROsVnVISaSKnr4LDNgw8Un-ZLlAB6WYPRKAQBxDqPNWXC_jnk2djmer4B1zXOfvtn8bnYmg_X7Rjv3dlnPzkiNKE8X0KRJkITH5lQylgB2QpcL2649H7eau9zppwM4dI_vJiE_c0WaUjen9TJIspjSewBEx5ccU-1JLYJnjAGldFy-9WdpVuLU-kTthmLqEQ21eXmoeaCQOLJk7uI6mRtcSTKOAneRXQDur6dst_QKpkIxmskcl5mS7nY8BX0U_87Pmm-nDK0NtdvvKgdxATwXQ0 Content-type: Content-Type=application/json;charset=utf-8 Refer: http://ift.tt/17bWRW6 Content-lenght: 59 Cookie: Cookie=_ga=GA1.6.1959860531.1423439036; PHPSESSID=9kl6i1ooi62plsrh8oups6ofc0 Connection: Connection=keep-alive Pragma: no-cache Cache-control:no-cache POSTDATA: POSTDATA={"username":"security","password":"fails","remember":false}
Received header Status: Unauthorized user Content type: application/json
When clicking on the button with incorrect cedentials, the product takes me to the very same login page with the following string added:
Invalid User Name Or Password
With this I have designed the following hydra attack:
hydra 23.22.209.102 -V http-form-post '/app.php/tokens:{"username\"\:\"^USER^\",\"password\"\:\"^PASS^\",\"remember\"\:false}:Invalid User Name Or Password' -l testuser -P dict.txt
But in every attempt, hydra returns the following error:[ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module "http-get" instead.
If I use with GET instead it will say every single combination was succesful.
I'm not sure what I'm doing wrong.
Aucun commentaire:
Enregistrer un commentaire