Skip to main content
- Captcha ?: -
- Arithmetic , visual, image.
- It is not authentication control but it mitigates enumeration of attacks.
- Analyse the login form behavior, Enter the wrong username/password and correct captcha.
- Replay Attack - Intercept the request in burp and send this request to repeater and intruder.
- In repeater check the captcha is getting expired or not? If not then go ahead with attack.
- Drop the request from burp intercepter.
- In intruder add the parameter , username and password.
- Use cluster bomb attack type. It will use both parameters in single request/attack.
- Fill the payloads options with wordlist of usernames and passwords.
- Grep match in options, put the invalid password message string.
- Check the reponses.
Comments
Post a Comment