As it is possible to see in the following screenshot, a number of things need to be configured:
- The username on which we want to perform the guessing attack
- A password dictionary used for the attack (passwords are separated by new lines in the file)
- Interval: time (in milliseconds) between each attempt. Remember that we are simulating the brute-force inside the browser itself. It is almost as if the user is manually performing the attack, typing on his keyboard at an insane speed. Since the attack is single-threaded, it is important to wait for the response before making the next attempt.
- In addition, the HTML IDs have to me manually extracted from the page’s HTML source code:
Finally, when the “START ATTACK” button is clicked, we can see the attack happening in real time on the page, while attempts are logged in the console:
When a successful attempt is made, the last payload is displayed in an alert box:
Please note this tool only works on AJAX-like login forms, which do not redirect/refresh the page between each login attempt, but only display a failure message to the user.
Download the following source code, from here: bf.js