Authentication Bruteforce

Wordlist

Wfuzz

$ wfuzz -d '{"email":"a@email.com","password":"FUZZ"}' -H 'Content-Type: application/json' -z file,/usr/share/wordlists/rockyou.txt -u http://127.0.0.1:8888/identity/api/auth/login --hc 405

-d option allows you to fuzz content that is sent in the body of a POST request

--hc option hides responses with certain response codes

-H option lets you add a header to the request. Some API providers may respond with an HTTP 415 Unsupported Media Type error code if you don’t include the Content -Type:application/json header when sending JSON data in the request bod

Intercept an authent request and adapt the command

Password Spraying

Use Burp Intruder

Email Enumeration Username lists

PreviousEmail Enumeration NextJWT Token

Last updated 1 month ago

Was this helpful?