Brute Force Attack on Login Page

Theory

1. What is a Brute Force Attack?

A brute force attack is a trial-and-error method used to decode login credentials, encryption keys, or hidden web pages. The attacker systematically tries all possible combinations of usernames and passwords until the correct one is found. Unlike more sophisticated attacks that exploit specific vulnerabilities, brute force relies on sheer computational power and persistence.

In the context of web applications, an attacker sends repeated login requests to the server, each time with a different set of credentials from a wordlist. By analyzing the server's HTTP response — specifically the status codes and response body — the attacker can determine whether a given username or password is valid.

2. HTTP Response Status Codes

HTTP status codes are three-digit numbers returned by the server in response to a client's request. They indicate whether the request was successful, redirected, or resulted in an error. In a vulnerable application, different status codes may be returned for different authentication outcomes:

• 200 OK — The request was successful. In login context, this may indicate a valid user login.
• 210 (Custom) — Used in this experiment to indicate a successful admin login.
• 220 (Custom) — Indicates the username is correct but the password is wrong.
• 404 Not Found — The username does not exist in the system.
• 406 Not Acceptable — A registered user provided an incorrect password.

The variation in status codes across different inputs is what makes the application vulnerable to enumeration. An attacker can determine whether a username exists simply by observing which requests return a different status code.

3. Burp Suite and the Intruder Tool

Burp Suite is a widely used web application security testing platform. It acts as a proxy between the browser and the target server, allowing the tester to intercept, inspect, and modify HTTP requests and responses. The key components used in this experiment are:

• Proxy — Intercepts HTTP/HTTPS traffic between the browser and the server. The tester can view and modify requests before they reach the server.
• Intruder — Automates customized attacks by injecting payloads (e.g., username/password lists) into specific positions in an HTTP request. It supports multiple attack types including Sniper (single payload position) and Cluster Bomb (multiple positions).
• Repeater — Allows manual modification and resending of individual requests to observe server behavior.

4. Attack Methodology

The brute force attack on a login page typically follows these phases:

• Phase 1 — Username Enumeration: The attacker uses a list of common usernames and a fixed dummy password. By sending each username to the login endpoint and observing the HTTP response codes, the attacker identifies valid usernames (e.g., a 220 response vs. 404 for invalid usernames).
• Phase 2 — Password Enumeration: Once a valid username is identified, the attacker fixes the username and iterates through a password wordlist. The response code that differs from the majority (e.g., 210 vs. 220) reveals the correct password.

5. Prevention Techniques

To protect web applications against brute force attacks, the following countermeasures should be implemented:

• Rate Limiting — Restrict the number of login attempts from a single IP address within a given time window.
• Account Lockout — Temporarily lock an account after a certain number of failed login attempts.
• CAPTCHA — Require users to solve a challenge (e.g., reCAPTCHA) to prove they are human.
• Multi-Factor Authentication (MFA) — Require a second form of verification (e.g., OTP, authenticator app) in addition to the password.
• Uniform Error Messages — Return the same error message and status code for all failed login attempts, regardless of whether the username or password was incorrect.
• Web Application Firewalls (WAFs) — Deploy a WAF to detect and block automated attack patterns.
• Strong Password Policies — Enforce minimum password length, complexity, and prevent use of common passwords.