[ OWASP - Montréal ]Vrute force HTML form password guessing

Benoit Guerette benoit.guerette at gmail.com
Wed Nov 26 08:13:05 EST 2008


Thanks Laurent. The user-agent was hidden at a place I never looked :)

But, still not working, even if the user-agent is changed, paros continue to
add his stuff, and my Web App Firewall trap it.

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5.6
(KHTML, like Gecko) Safari/125.12 Paros/3.2.13



On Wed, Nov 26, 2008 at 7:22 AM, Laurent Desaulniers <
laurent.desaulniers at gmail.com> wrote:

> Hello Benoit,
>
>    You can change the User Agent of Paros, if so you like; go to Tools -->
> Filters --> "Change the agent to other browsers"
>
> I hope it answers your question
>
> Laurent
>
>
>
> On Tue, Nov 25, 2008 at 10:54 PM, Benoit Guerette <
> benoit.guerette at gmail.com> wrote:
>
>> That was too obvious ;) I didn't find the replay tool, but I can use the
>> fuzzer and provide a password.txt file as a source, so it will do brute
>> force password guessing
>>
>> Thanks!
>>
>> WebScarab is doing very well with HTTPS, but I have trouble with burp.
>> Paros is great, but it use a homemade user-agent so my web application
>> firewall drop all requests
>>
>>
>>
>> I looked in the mailing list history, seems we are the first to post?
>>
>>
>> On Tue, Nov 25, 2008 at 10:15 PM, Laurent Desaulniers <
>> laurent.desaulniers at gmail.com> wrote:
>>
>>> Hello,
>>>
>>>   I am very happy to see activity on the Owasp Montreal group. To answer
>>> your question, there are many options. You can do bruteforce with webscarab,
>>> using the post replay tool (under the advanced view). Of course, burp proxy
>>> and paros will do the same. If you look for something more automated; burp
>>> proxy 2.0 will be able to brute force automatically.
>>>
>>> I am also told that websleuth may be able to do it to (
>>> http://sandsprite.com/Sleuth/). W3af (http://w3af.sourceforge.net/) is
>>> also able to brute force http forms, (either use formauthBrute or SpiderMan)
>>>
>>>
>>> I hope it answers your question.
>>>
>>>
>>> Laurent Desaulniers
>>>
>>>
>>>
>>> On Tue, Nov 25, 2008 at 8:22 PM, Benoit Guerette <
>>> benoit.guerette at gmail.com> wrote:
>>>
>>>> Hi!
>>>>
>>>> I am using WebScarab for a lot of injection tests. Is there any good
>>>> tool for brute force password guessing in html forms? It do not seems to be
>>>> an option on WebScarab.
>>>>
>>>> Most antivirus don't like brutus, and I have trouble running Burp Suite
>>>> with ssl.
>>>>
>>>> Thanks
>>>>
>>>> --
>>>> http://www.linkedin.com/in/benoitguerette
>>>>
>>>> _______________________________________________
>>>> Owasp-montreal mailing list
>>>> Owasp-montreal at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-montreal
>>>>
>>>>
>>>
>>>
>>> --
>>> *CONFIDENTIALITÉ* L'information apparaissant dans ce message électronique
>>> est de nature légalement privilégiée et confidentielle. Si ce message vous
>>> est parvenu par erreur et que vous n'êtes pas le destinataire visé, vous
>>> êtes par les présentes avisé que tout usage, copie ou distribution de ce
>>> message est strictement interdit. Vous êtes donc prié de nous informer
>>> immédiatement de cette erreur et de détruire ce message.
>>>
>>>
>>>
>>> *CONFIDENTIALITY* The information in this message is legally privileged
>>> and confidential. In the event of a transmission error and if you are not
>>> the individual or entity mentioned above, you are hereby advised that any
>>> use, copying or reproduction of this document is strictly forbidden. Please
>>> advise us of this error and destroy this message.
>>>
>>
>>
>>
>> --
>> http://www.linkedin.com/in/benoitguerette
>>
>
>
>
> --
> *CONFIDENTIALITÉ* L'information apparaissant dans ce message électronique
> est de nature légalement privilégiée et confidentielle. Si ce message vous
> est parvenu par erreur et que vous n'êtes pas le destinataire visé, vous
> êtes par les présentes avisé que tout usage, copie ou distribution de ce
> message est strictement interdit. Vous êtes donc prié de nous informer
> immédiatement de cette erreur et de détruire ce message.
>
>
>
> *CONFIDENTIALITY* The information in this message is legally privileged and
> confidential. In the event of a transmission error and if you are not the
> individual or entity mentioned above, you are hereby advised that any use,
> copying or reproduction of this document is strictly forbidden. Please
> advise us of this error and destroy this message.
>



-- 
http://www.linkedin.com/in/benoitguerette
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081126/d3368a08/attachment.html 


More information about the Owasp-montreal mailing list