Burp Suite Series: Efficient use of Payload Options when Attacking HTTP Basic Authentication

By | September 3, 2012

Source: Spylogic.net

by Tom

In this article “In this series of blog posts I’ll be discussing some handy Burp Suite techniques we often use on our penetration tests. Burp Suite is our de facto tool of choice for assessing web applications and conducting web based brute force attacks.  First up are some techniques to use when conducting brute force attacks on websites that use HTTP Basic Authentication.  While simple brute force attacks are easy to set up in Burp Suite (think form based authentication) not a lot of tutorials exist out there for how to brute force HTTP Basic Authentication, especially if the password is not in clear text like you might usually find it.

How HTTP Basic Authentication Works

HTTP Basic Authentication works by Base64 encoding the username and password in the HTTP header.  It looks like this in a web request:

Authorization: Basic dmljdGltQHZpY3RpbS5jb206cGFzc3dvcmQ=

Running this through Burp Suite’s decoder function (Base64 decode) gives us the following:

victim@victim.com:password”

Leave a Reply