|
There are the steps you should take to create a valid HTTP Brute Force test:
| 1. | Choose the target Web Macro in the left side tree. If you don't know what it is or you don't know how to create, see "Macro Recorder". |
| 2. | You must manually identify the transaction where the authentication credentials are provided (user/password). Search for the right URI within the "Choose authentication transaction" section and click on it. |
| 3. | Now you must point to N-Stalker HTTP Brute Force tool what are the variables being used to authenticate. You must identify either the username and password variables whose content will be replaced by a user-supplied list. You must do that under "Choose username and password variables" section: |
Username
|
This is the "Username" field. You must point out the corresponding field.
|
Password
|
This is the "Password" field. You must point out the corresponding field.
|
N/A
|
Fields that are not being used must no be changed (should hold "N/A" value).
|
Important Note: There must no more than one (1) "Username" and one (1) "Password" field.
| 4. | Next you must provide a file location that contain both username and password lists. File format is one entry per line (either username or password). |
| 5. | At last you should teach N-Stalker what a successful logon looks like (or at least what is not like). You must use "A successful login will have the following characteristics" section: |
HTTP Status
|
What would be a successful HTTP status code (usually 200).
|
Match Type
|
What is the matching logics:
Positive
|
When positive, the expression must match to be considered successful (e.g: "you are authenticated").
|
Negative
|
When negative, the expression must not match to be considered successful (e.g: "incorrect username or password").
|
|
Match Location
|
This is the data location to match the expression:
Body
|
Match expression against HTTP Response Body.
|
Header
|
Match expression against HTTP Response Header.
|
All
|
Match expression against both Body e Header.
|
|
Expression
|
This is the expression to be matched. You may use a common string or a regular expression (e.g: "[Ss]uccessful [Aa]uthentication").
|
| 6. | To initiate the session, click on "Start Task" and adjust the number of "Threads" to indicate the number of simultaneous attempts. |
|
