So basically I'm testing Hydra on one of my own websites. In this case, I know the correct logins.
For the purposes of this post, let's say the correct username is [email protected] and the correct password for that username is password123
Here's the relevant info about my website:
URL where POST data is sent:
[email protected] password=password123 csrf=4047b4baa2e66befd72d9d9b58dfa5bcee0cbb2e
CSRF is mandatory, otherwise the login won't work. csrf is it's own post data parameter. If the email and username are correct, the user will be logged in. IF they're wrong, the login page will simply reload. (So there is no error message that says like "Password Incorrect").
I know the POST data i posted above is correct because when I enter it in my browser it logs me in.
Now, to brute force this, I'm using hydra. Here's the command I'm using:
hydra -V -l [email protected] -P testlist.txt mywebsite.com https-post-form "/index/auth:email=^USER^&password=^PASS^&csrf=4047b4baa2e66befd72d9d9b58dfa5bcee0cbb2e: "
Only problem is, when I run that command, it tells me:
1 of 1 target completed, 0 valid passwords found when I know FOR SURE that the correct password is in my password list. How can I get hydra working for this, so I don't get a false negative?