I'm new in cybersecurity and I'm trying to hack the docker container juice-shop from OWASP as training: OWASP juice shop.
I'm trying to brute force the login page with hydra, but hydra just return 16 fake positives and I really don't understand why:
hydra 127.0.0.1 -s 3000 -l admin@juice-sh.op -P rockyou.txt http-post-form "/#/login:email=^USER^&password=^PASS^&loginButton=submit:F=Invalid email or password."
I guess that could came from the login page that is a angular page . SPA must have some interaction problem with hydra but I don't really know. Someone could help me understand what happened here?
I have tried to change the hydra command line changing parameters for 3hours:
hydra 127.0.0.1 -s 3000 -l admin@juice-sh.op -P rockyou.txt http-post-form "login:email=^USER^&password=^PASS^:F=Login"
I looked in the solution from OWASP. They didn't use hydra: OWASP solution
I found password with sql injection but I would find it with brute-force and Hydra , I would like understand why it's not working.
I got some answers. Hydra don't look to be the appropriate tool to brute force with json payload. You could recode hydra script but I found wfuzz. I really prefer that tool and I found the password with that command:
wfuzz -c -w /usr/share/wordlists/rockyou.txt -d "email=admin@juice-sh.op&password=FUZZ"
-Z --sc 200 http://localhost:3000/rest/user/login
spoiler:
you have to test at least the 100000 first password of rockyou dictionnary.