securityowasphydra

Hydra with OWASP juice-shop


I'm new in cybersecurity and I'm trying to hack the docker container juice-shop from OWASP as training: OWASP juice shop.

I'm trying to brute force the login page with hydra, but hydra just return 16 fake positives and I really don't understand why:

hydra 127.0.0.1 -s 3000  -l admin@juice-sh.op -P rockyou.txt http-post-form "/#/login:email=^USER^&password=^PASS^&loginButton=submit:F=Invalid email or password."

fake positive hydra

I guess that could came from the login page that is a angular page . SPA must have some interaction problem with hydra but I don't really know. Someone could help me understand what happened here?

I have tried to change the hydra command line changing parameters for 3hours:

hydra 127.0.0.1 -s 3000  -l admin@juice-sh.op -P rockyou.txt http-post-form "login:email=^USER^&password=^PASS^:F=Login"

I looked in the solution from OWASP. They didn't use hydra: OWASP solution

I found password with sql injection but I would find it with brute-force and Hydra , I would like understand why it's not working.


Solution

  • I got some answers. Hydra don't look to be the appropriate tool to brute force with json payload. You could recode hydra script but I found wfuzz. I really prefer that tool and I found the password with that command:

    wfuzz -c  -w /usr/share/wordlists/rockyou.txt -d "email=admin@juice-sh.op&password=FUZZ" 
    -Z --sc 200 http://localhost:3000/rest/user/login
    

    spoiler:

    you have to test at least the 100000 first password of rockyou dictionnary.