[ OWASP - Montréal ]Vrute force HTML form password guessing

Benoit Guerette benoit.guerette at gmail.com
Tue Nov 25 22:54:39 EST 2008

That was too obvious ;) I didn't find the replay tool, but I can use the
fuzzer and provide a password.txt file as a source, so it will do brute
force password guessing


WebScarab is doing very well with HTTPS, but I have trouble with burp. Paros
is great, but it use a homemade user-agent so my web application firewall
drop all requests

I looked in the mailing list history, seems we are the first to post?

On Tue, Nov 25, 2008 at 10:15 PM, Laurent Desaulniers <
laurent.desaulniers at gmail.com> wrote:

> Hello,
>   I am very happy to see activity on the Owasp Montreal group. To answer
> your question, there are many options. You can do bruteforce with webscarab,
> using the post replay tool (under the advanced view). Of course, burp proxy
> and paros will do the same. If you look for something more automated; burp
> proxy 2.0 will be able to brute force automatically.
> I am also told that websleuth may be able to do it to (
> http://sandsprite.com/Sleuth/). W3af (http://w3af.sourceforge.net/) is
> also able to brute force http forms, (either use formauthBrute or SpiderMan)
> I hope it answers your question.
> Laurent Desaulniers
> On Tue, Nov 25, 2008 at 8:22 PM, Benoit Guerette <
> benoit.guerette at gmail.com> wrote:
>> Hi!
>> I am using WebScarab for a lot of injection tests. Is there any good tool
>> for brute force password guessing in html forms? It do not seems to be an
>> option on WebScarab.
>> Most antivirus don't like brutus, and I have trouble running Burp Suite
>> with ssl.
>> Thanks
>> --
>> http://www.linkedin.com/in/benoitguerette
>> _______________________________________________
>> Owasp-montreal mailing list
>> Owasp-montreal at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-montreal
> --
> *CONFIDENTIALITÉ* L'information apparaissant dans ce message électronique
> est de nature légalement privilégiée et confidentielle. Si ce message vous
> est parvenu par erreur et que vous n'êtes pas le destinataire visé, vous
> êtes par les présentes avisé que tout usage, copie ou distribution de ce
> message est strictement interdit. Vous êtes donc prié de nous informer
> immédiatement de cette erreur et de détruire ce message.
> *CONFIDENTIALITY* The information in this message is legally privileged and
> confidential. In the event of a transmission error and if you are not the
> individual or entity mentioned above, you are hereby advised that any use,
> copying or reproduction of this document is strictly forbidden. Please
> advise us of this error and destroy this message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081125/a96d8885/attachment.html 

More information about the Owasp-montreal mailing list