Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http-post-form endless loop when recieved 401 status code response #974

Open
1pgjy-grass opened this issue Aug 28, 2024 · 1 comment
Open

http-post-form endless loop when recieved 401 status code response #974

1pgjy-grass opened this issue Aug 28, 2024 · 1 comment

Comments

@1pgjy-grass
Copy link

I'm playing with OWSAP juice shop project.
Trying to guess admin's password on the website using hydra(v9.5).
The login page will response 401 status code when I failed to login.

Hydra seems to go crazy in this case (401). He try to perform a http get then a http post then a http get ... over and over again.
Of course, if I give a right user/password nothing wrong would happen.
Also, the hidden option parameter ’1‘ mentioned somewhere does not recognized by hydra.

right user/password
hydra-right

wrong user/password => 401
hydra-wrong

endless loop
hydra-wireshark

parameter '1' does not recognized
hydra-1=
@N3M3S1Spy
Copy link

N3M3S1Spy commented Nov 8, 2024
edited
Loading

Your hydra syntax is almost correct, but there are a few adjustments to make it work properly. Specifically:

  1. Syntax for http-post-form:
    • Ensure the URL format is correct.
    • Use the proper delimiters : for separating the URL and parameters.
    • The -I option (capital I) stands for "insane mode," which is usually not needed. You might want to use -V (verbose) or -f (stop on the first successful attempt) instead.

Here's the corrected syntax:

hydra -l user -p pass 192.168.0.107 -s 3000 http-post-form "/rest/user/login:email=^USER^&password=^PASS^:F=Invalid" -V

Explanation of the Parameters:

  • -l xxx: Specifies the username.
  • -p xxx: Specifies the password.
  • 192.168.0.107: The target IP address.
  • -s 3000: The port on which the web server is running (optional if it's not the default port 80/443).
  • http-post-form: The protocol module for Hydra.
  • "/rest/user/login:email=^USER^&password=^PASS^:F=Invalid":
    • Path: /rest/user/login
    • Parameters: email and password are replaced with ^USER^ and ^PASS^ placeholders.
    • Failure String: F=Invalid checks if the response contains "Invalid" (indicating a failed login).
  • -V: Verbose mode for detailed output.

Notes:

  • Ensure that the failure string F=Invalid matches the actual response from the server. If it's incorrect, Hydra might misinterpret the results.
  • If you want Hydra to stop after the first successful login attempt, use -f.

I hope this helps you get the correct results!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@1pgjy-grass @N3M3S1Spy