Embedded Ajax Brute-Force Tool

There are a few cases when preparing a PoC for brute-force attack on the login page can be complicated. It is no longer uncommon to find a login form based on web sockets, or which implements some sort of client-side encryption with JavaScript. In these cases, configuring a brute-attack quickly with a middle proxy (e.g. Burp’s Intruder) is not possible. It also happens that clients request for the penetration testings to be conducted on a specific machine, without access to common attacking tools.

For these reasons, I wrote a very minimalistic brute-force tool that runs inside the browser (the source code, following this post, has to be copy-pasted into browser’s JavaScript console).

As it is possible to see in the following screenshot, a number of things need to be configured:

  • The username on which we want to perform the guessing attack
  • A password dictionary used for the attack (passwords are separated by new lines in the file)
  • Interval: time (in milliseconds) between each attempt. Remember that we are simulating the brute-force inside the browser itself. It is almost as if the user is manually performing the attack, typing on his keyboard at an insane speed. Since the attack is single-threaded, it is important to wait for the response before making the next attempt.


  • In addition, the HTML IDs have to me manually extracted from the page’s HTML source code:



Finally, when the “START ATTACK” button is clicked, we can see the attack happening in real time on the page, while attempts are logged in the console:



When a successful attempt is made, the last payload is displayed in an alert box:



Please note this tool only works on AJAX-like login forms, which do not redirect/refresh the page between each login attempt, but only display a failure message to the user.


Download the following source code, from here: bf.js

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *