When you are hunting on any program, check this below Out of Scope vulnerability. Because this where most of the bug hunters think that Bruteforce vulnerability is out of scope and they will ignore this vulnerability. But when this is mentioned, this means all bruteforce attacks are out of scope except bruteforce attack on login form is in-scope. Most of the times, these bugs are accepted in medium severity by many programs.
1. Using Intruder in Burpsuite:- This is a simple technique to understand if website is vulnerable to Bruteforce Attack or not. We use Intruder to send 100/50 passwords attempts on any login form of a website and if last attempt is successful, then its vulnerable.
2. Using Turbo Intruder:- Some websites enforces weak rate limiting Security features like captcha, rate limiting headers or counting failed logon attempts. In some cases it can be bypassed using turbo intruder. Beauty of turbo intruder is that it can send 100 or more than that requests as 1 request which makes backend to think it as 1 request but we are sending 100 requests. So this is how we can send 100 of passwords with 1 correct password to check if its vulnerable or not.
3. Using Headers to spoof IP:- In this, we use headers in burpsuite repeater to check if any header can bypass rate limiting security features. For more info about these headers, check this https://github.com/KathanP19/HowToHunt/blob/master/Rate_limit/RateLimitBypass.md
4. Using Special Characters:- You can use special characters or NULL byte at the end of the email/username parameter in the Burpsuite request. Sometimes backend processes these special characters which make our user credentials unique and we are able to bypass account lockout features. Some special characters which you can try:-
%0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C or you can try this:- email@example.com,a&password=password123
5. IP Rotate Technique:- This technique is mostly used to bypass rate limiting security features like rate limiting headers or any feature which count failed logon attempts from same IP address. In this, we use simple intruder technique with IP Rotate Burpsuite plugin to change our IP address randomly for each request. https://portswigger.net/bappstore/2eb2b1cb1cf34cc79cda36f0f9019874
6. Using Forget password page:- Sometimes Forget password page unlocks user accounts. So an attacker can continue his brute-force attack by unlocking the user accounts when it's locked by security features.
I will share writeups of all these techniques which are found on real bug bounty programs.
Follow me on twitter for new tips and tricks