Penetration Testing mailing list archives
Web brute forcing tool against HTTPS
From: Whitehat <whitehaat () gmail com>
Date: Sat, 25 Oct 2008 00:57:26 +0530
Dear List,I'm doing a Web application PT against a website running on HTTPS - in which I found that the password recovery mechanism is weak because if you enter a correct Registration ID then it'll send a new password to the corresponding email. Now my Idea is to perform a brute force attack against the input field which could lead to a potential "Denial of Service" since I know the length of Registration ID.
I'm trying "Crowbar" as usual, but......It it is not able to get the base response.
I could able to do this successfully for many other sites. Is it because of: 1.HTTPs- Can't we brute force HTTPs implemented sites ????? 2.Implementing ViewState in aspx. 3.Or something else that causing error??? Please suggest me different techniques Or any other TOOL to do that. Cheers, Whitehat. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Web brute forcing tool against HTTPS Whitehat (Oct 24)
- Message not available
- Re: Web brute forcing tool against HTTPS Whitehat (Oct 29)
- Message not available