Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Web brute forcing tool against HTTPS

From: Whitehat <whitehaat () gmail com>
Date: Sat, 25 Oct 2008 00:57:26 +0530
Dear List,
I'm doing a Web application PT against a website running on HTTPS - in which I found that the password recovery mechanism is weak because if you enter a correct Registration ID then it'll send a new password to the corresponding email. Now my Idea is to perform a brute force attack against the input field which could lead to a potential "Denial of Service" since I know the length of Registration ID.
I'm trying "Crowbar" as usual, but......It it is not able to get the base response. 
I could able to do this successfully for many other sites.

Is it because of:

1.HTTPs- Can't we brute force HTTPs implemented sites ?????
2.Implementing ViewState in aspx.
3.Or something else that causing error???


Please suggest me different techniques Or any other TOOL to do that.


Cheers,
Whitehat.




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: