From: joh ket (johket@hotmail.com)
Date: Thu Apr 18 2002 - 05:16:13 EDT
I am currently involved in a pen test on a website
which is using formbased authentication.
I figured out that a account, named 'test' exists...
(...)
Now I want to brute force this account, I am using
Brutus AET2 for this.
But I do not know how to use the HTML response.
Below the packet capture of a response of a login
which was succesfull:
HTTP/1.1.302.Object.Moved..Location:.start.cfm?cid=
(lines deleted)
<head><title>Document.Moved</title></head><body
><h1>Object.Moved</h1>
This.document.may.be.found.<a.HREF="start.cfm?
cid=
(lines deleted)
A capture of an unsuccessfull capture looks like this:
HTTP/1.1.302.Object.Moved..Location:.original.cfm?
login=Invalid password. Please try again
(lines deleted)
Document.Moved</title></head>.<body><h1>Object.
Moved</h1>This.document.may.be.found.<a.HREF="
original.cfm?login=Invalid password. Please try
again">here</a>
So depending on the password I get redirected to a
page...
How should the primary and the secondary repsonse
be configured?
Or does somebody else have a better idea how to do
this?
Thanks in advance!
Joh Ket
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT