Web Form Password Brute Force with FireForce I spent many hours today playing around with DVWA

(Damn Vulnerable Web App), fromRandomstorm, brushing up on my web app pentesting skills, to be honest its been a long time and I really need to get back on top of this. Anyways, after going through all the usual SQL injection, XSS stuff I thought Id have a go at the brute forcing part of the app. Well after what seemed like days I gave up, with little or no success Id tried the usual suspect for bruting the password Hydra. Until I Googled around and found a Firefox addon called Fireforce the article that I found is here Dark Reading The website for the tool is here SCRT ,there is a manual in english too. What the extension does is finds out the fields for the brute force attack in the web page source code, an automated way rather than reading through it manually, and then tries to brute force using your wordlists. You can view the source code for the webpage by right clicking on the page and selecting View page source.

Here you can pick out the form action GET and the password, username and submit info. This is what you would normally feed into Hydra, as shown here:hydra -l admin -P wordlist.txt -f -v 192.168.124.123 http-get-form /vulnerabilities/brute/:username=^USER^&password=^PASS^&submit=Login:Username and/or Password incorrect. So to Fireforce, best read the manual for all options, but really all you have to do once its installed is right click in the fields for username and password and load up your wordlists for usernames and passwords and let it rip.

Et Viola *******Edit******** After a bit more reading after publishing this post, I found out that Hydra falls a little short when dealing with web forms, an article I found on the excellent Attack Vector blog, Mat also had issues with Hydra and web forms.