Brute Forcing
Sometimes just looking isn't enough
There are several different ways to brute force for a site.

Virtual Host Enumeration

gobuster vhost -u https://m4lwhere.org -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Login Brute Forcing

hydra -l <username> -P <password list> <ip> http-post-form "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -V
hydra -l admin -P top_100.txt 127.0.0.1 http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V
hydra -L users.txt -P passwords.txt m4lwhere.org https-post-form "/login:username=^USER^&password=^PASS^:Invalid"

Fuzzing

CSRF Testing

ZAP Anti CSRF Test Form, can be used to determine if the token is vulnerable
​
​
Copy link
Outline