Login Hack

Web applications are protected by identifying and authenticating the users at the login page using a unique username and password combination. The login page can be bypassed or infilterated by a number of methods such as SQL injection, brute forcing, cookies stealing, etc.

SQL Injection

Bypass Authentication

Brute Force

The less sophisticated method is to try and brute force our way into the application using a combination of usernames and passwords. There are many tools to conduct this attack and THC-hydra is one of them.

hydra 192.168.1.1 http-form-post "/login/login.php:user=admin&pass=^PASS^:INVALID LOGIN" -l admin -P /usr/share/wordlists/rockyou.txt -vV -f

Basic recon should have been conducted on the page to understand the request and response formats. Also, this method will be less of a bruteforce if the password list is generated from the personalized information gathered out of the website of the organization or social media pages of the user.

Burp Suite

Burp suite is another fantastic tool to achieve a number of things while trying to a test a website. It is the swiss army knife in the hands of a white hacker.

Session Hijacking

One of the more popular methods to gaining access to a website is by hijacking a valid session. Once an user logs into a website, it creates a cookie on the user's computer to identify the session. This cookie is deleted once the user logs out of the application. There are a number of methods to hijack this cookie to gain access to the application.

Cross Site Scripting

PreviousSubdomain/Vhost Fuzz NextCross Site Scripting

Last updated 1 year ago