Because there is no standard implementation, and web applications are much more flexible in terms of validation and attack prevention, login forms pose some special challenges when it comes to brute forcing them:
- There is no standard name, position, or format in the username and password parameters
- There is no standard negative or positive response to a login attempt
- The client-side and server-side validations may prevent certain types of attacks or repeated submission of requests
- Authentication may be done in more than one step; that is, asking the username in one page and the password in the next page
Fortunately for penetration testers, most applications use the basic pattern of HTML form, sent through a POST request including the username and password as parameters and getting a redirect to the user's home page on successful login, and an error or redirection to the login page if failed. You will now examine two methods used to execute a dictionary attack on this kind of form. The same principle applies to almost all form-based authentication, with some modifications on how the responses are interpreted and the required parameters for submission.