How to Brute Force Website Login with OWASP ZAP

1 week ago

Cartoon hacker using OWASP ZAP for brute force attack.

How to Brute Force Website Passwords with ZAP Proxy

Introduction

ZAP (Zed Attack Proxy) is an open-source web application security scanner. It helps security professionals find vulnerabilities in web applications. One of its features is the ability to perform brute force attacks, which attempt to gain access by trying many possible passwords. In this article, we will demonstrate how to use ZAP Proxy to perform a brute force attack on a website’s login form. This technique is for educational purposes only. Ensure you have explicit written permission before testing any website.

Deploy GoPhish Phishing Platform on Ubuntu 18.04 into AWS

Performing a Brute Force Attack

Setting Up the Environment

Tools Required:

ZAP Proxy: Make sure ZAP is installed. If you need help, follow the installation instructions on the official website.
Test Environment: We will use demo.testfire.net, a demo site designed for security testing.

Steps to Perform a Brute Force Attack

Load the Target Website:

Launch ZAP and use the “Manual Explore” feature to start your browser through ZAP.
Navigate to http://demo.testfire.net.

Navigate to the Login Page:

As the login page loads, you will see the request in ZAP’s History tab.
Perform a test login using admin as the username and 12345 as the password, then click “Login.”

Intercept the Request:

Enable breakpoints in ZAP to intercept the request.
Submit the login form with the credentials admin and 12345.
ZAP will intercept and pause the request, allowing you to inspect it.

Prepare for Brute Force:

Locate the password field in the intercepted request.
Right-click on the password value and select “Fuzz.”

Configure Fuzzing Payloads:

In the Fuzz window, highlight the password field and click “Add.”
Choose “File” as the payload source and navigate to zap/dictionaries/passwords/john.txt, a built-in word list.

Deploy ShadowSocks Proxy Server on Ubuntu 20.04 into AWS

Start the Attack:

Click “Start Fuzzer.” ZAP will send requests with different passwords from the word list.

Analyze the Results:

Once fuzzing is complete, examine the response codes, headers, and body sizes for anomalies.
Responses that differ from the typical “Login failed” responses are of interest.
Sort by response header size or body size to find potential successful login attempts.

Identify the Correct Password:

Look for responses with different sizes, indicating a successful login.
For example, if most responses are 126 bytes but one is 261 bytes, the latter likely indicates a successful login.

Verify the Login:

Use the identified password with the known username to log in.
For instance, if admin:admin was identified as valid, use these credentials.

Successful Login: – A successful login confirms the brute force attack worked, granting access to the test website.

Conclusion

ZAP Proxy is a powerful tool for security testing, including brute force attacks on login forms. By carefully analyzing responses and using appropriate word lists, you can identify weak passwords and improve the security of the systems you have permission to test. Always use such tools responsibly and ethically.