Password HTML form bruteforce

[joh ket <johket () hotmail com>]

Hi there,

I am currently involved in a pen test on a website 
which is using formbased authentication.

I figured out that a account, named 'test' exists...
(...)

Now I want to brute force this account, I am using 
Brutus AET2 for this.

But I do not know how to use the HTML response.

Below the packet capture of a response of a login 
which was succesfull:

HTTP/1.1.302.Object.Moved..Location:.start.cfm?cid=
(lines deleted)
<head><title>Document.Moved</title></head><body
> <h1>Object.Moved</h1>
This.document.may.be.found.<a.HREF="start.cfm?
cid=
(lines deleted)

A capture of an unsuccessfull capture looks like this:

HTTP/1.1.302.Object.Moved..Location:.original.cfm?
login=Invalid password. Please try again 
(lines deleted)
Document.Moved</title></head>.<body><h1>Object.
Moved</h1>This.document.may.be.found.<a.HREF="
original.cfm?login=Invalid password. Please try 
again">here</a>

So depending on the password I get redirected to a 
page...

How should the primary and the secondary repsonse 
be configured?

Or does somebody else have a better idea how to do 
this?

Thanks in advance!

Joh Ket


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/