Hydra/bruteforcing: no passwords found

So basically I'm testing Hydra on one of my own websites. In this case, I know the correct logins.

For the purposes of this post, let's say the correct username is [email protected] and the correct password for that username is password123

Here's the relevant info about my website:

URL where POST data is sent: https://mywebsite.com/index/auth

POST data:

[email protected] password=password123 csrf=4047b4baa2e66befd72d9d9b58dfa5bcee0cbb2e 

CSRF is mandatory, otherwise the login won't work. csrf is it's own post data parameter. If the email and username are correct, the user will be logged in. IF they're wrong, the login page will simply reload. (So there is no error message that says like "Password Incorrect").

I know the POST data i posted above is correct because when I enter it in my browser it logs me in.

Now, to brute force this, I'm using hydra. Here's the command I'm using:

hydra -V -l [email protected] -P testlist.txt mywebsite.com https-post-form "/index/auth:email=^USER^&password=^PASS^&csrf=4047b4baa2e66befd72d9d9b58dfa5bcee0cbb2e: " 

Only problem is, when I run that command, it tells me: 1 of 1 target completed, 0 valid passwords found when I know FOR SURE that the correct password is in my password list. How can I get hydra working for this, so I don't get a false negative?


Category: web application Time: 2016-07-31 Views: 2

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development


Front-end development


development tools

Open Platform

Javascript development

.NET development

cloud computing


Copyright (C) avrocks.com, All Rights Reserved.

processed in 0.131 (s). 12 q(s)