Configuring HTTP Brute Force

 		Top  Previous  Next

There are the steps you should take to create a valid HTTP Brute Force test:

 

1.Choose the target Web Macro in the left side tree. If you don't know what it is or you don't know how to create, see "Macro Recorder".

 

clip0076

 

2.You must manually identify the transaction where the authentication credentials are provided (user/password). Search for the right URI within the "Choose authentication transaction" section and click on it.

 

clip0077

 

3.Now you must point to N-Stalker HTTP Brute Force tool what are the variables being used to authenticate. You must identify either the username and password variables whose content will be replaced by a user-supplied list. You must do that under "Choose username and password variables" section:

 

clip0078

 

Username

This is the "Username" field. You must point out the corresponding field.

Password

This is the "Password" field. You must point out the corresponding field.

N/A

Fields that are not being used must no be changed (should hold "N/A" value).

 

Important Note: There must no more than one (1) "Username" and one (1) "Password" field.

 

4.Next you must provide a file location that contain both username and password lists. File format is one entry per line (either username or password).

 

clip0079

 

5.At last you should teach N-Stalker what a successful logon looks like (or at least what is not like). You must use "A successful login will have the following characteristics" section:

 

clip0080

 

HTTP Status

What would be a successful HTTP status code (usually 200).

Match Type

What is the matching logics:

Positive

When positive, the expression must match to be considered successful (e.g: "you are authenticated").

Negative

When negative, the expression must not match to be considered successful (e.g: "incorrect username or password").

Match Location

This is the data location to match the expression:

Body

Match expression against HTTP Response Body.

Header

Match expression against HTTP Response Header.

All

Match expression against both Body e Header.

Expression

This is the expression to be matched. You may use a common string or a regular expression (e.g: "[Ss]uccessful [Aa]uthentication").

 

6.To initiate the session, click on "Start Task" and adjust the number of "Threads" to indicate the number of simultaneous attempts.

 

clip0081