In this post, I will show you how to test bruteforce vulnerability on websites login pages using Burpsuite Intruder.
Requirement:-
Learn Burpsuite basics from here:- https://www.youtube.com/watch?v=G3hpAeoZ4ek https://www.youtube.com/watch?v=Z08oqrV9wqs
Take 100 passwords from here https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000.txt
Steps:-
1. Open website login page and enter any credentials
2. Enable proxy in the browser and Send the Login request to Burpsuite Intruder tab
3. Click on Clear and Add Payload Marker in password field by selecting password in that request
4. Open payloads tab and paste your 100 passwords
5. Add your correct password at the end
6. Now start the attack
7. If you receive any 429/400/502 errors or your account is locked, this means website have rate limiting security features.
8. For correct password you will see different status code or different length
So this is how you can test any login page for bruteforce vulnerability and report it. Sometimes this vulnerability is out of scope on bug bounty programs, so read policy and then report it.