Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 08:54:40 +01:00
Code Issues Projects Releases Wiki Activity

Markdown Fix Lint

Browse source
This commit is contained in:
Swissky 2025-10-05 18:54:42 +02:00
parent 0dc0978853
commit d49faf9874
1 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
Brute Force Rate Limit/README.md
View file

@ -23,13 +23,14 @@
In a web context, brute-forcing refers to the method of attempting to gain unauthorized access to web applications, particularly through login forms or other user input fields. Attackers systematically input numerous combinations of credentials or other values (e.g., iterating through numeric ranges) to exploit weak passwords or inadequate security measures. In a web context, brute-forcing refers to the method of attempting to gain unauthorized access to web applications, particularly through login forms or other user input fields. Attackers systematically input numerous combinations of credentials or other values (e.g., iterating through numeric ranges) to exploit weak passwords or inadequate security measures.
For instance, they might submit thousands of username and password combinations or guess security tokens by iterating through a range, such as 0 to 10,000. This method can lead to unauthorized access and data breaches if not mitigated effectively. For instance, they might submit thousands of username and password combinations or guess security tokens by iterating through a range, such as 0 to 10,000. This method can lead to unauthorized access and data breaches if not mitigated effectively.
Countermeasures like rate limiting, account lockout policies, CAPTCHA, and strong password requirements are essential to protect web applications from such brute-force attacks. Countermeasures like rate limiting, account lockout policies, CAPTCHA, and strong password requirements are essential to protect web applications from such brute-force attacks.
### Burp Suite Intruder ### Burp Suite Intruder
* **Sniper attack**: target a single position (one variable) while cycling through one payload set. * **Sniper attack**: target a single position (one variable) while cycling through one payload set.
```ps1 ```ps1
Username: password Username: password
@ -99,9 +100,9 @@ JA3 is a method for fingerprinting TLS clients (and JA3S for TLS servers) by has
**Countermeasures:** **Countermeasures:**
- Use browser-driven automation (Puppeteer / Playwright) * Use browser-driven automation (Puppeteer / Playwright)
- Spoof TLS handshakes with [lwthiker/curl-impersonate](https://github.com/lwthiker/curl-impersonate) * Spoof TLS handshakes with [lwthiker/curl-impersonate](https://github.com/lwthiker/curl-impersonate)
- JA3 randomization plugins for browsers/libraries * JA3 randomization plugins for browsers/libraries
### Network IPv4 ### Network IPv4
@ -137,9 +138,8 @@ proxychains ffuf -w wordlist.txt -u https://target.tld/FUZZ
Many cloud providers, such as Vultr, offer /64 IPv6 ranges, which provide a vast number of addresses (18 446 744 073 709 551 616). This allows for extensive IP rotation during brute-force attacks. Many cloud providers, such as Vultr, offer /64 IPv6 ranges, which provide a vast number of addresses (18 446 744 073 709 551 616). This allows for extensive IP rotation during brute-force attacks.
## References ## References
* [Bruteforcing the phone number of any Google user - brutecat - June 9, 2025](https://brutecat.com/articles/leaking-google-phones) * [Bruteforcing the phone number of any Google user - brutecat - June 9, 2025](https://brutecat.com/articles/leaking-google-phones)
* [Burp Intruder attack types - PortSwigger - August 19, 2025](https://portswigger.net/burp/documentation/desktop/tools/intruder/configure-attack/attack-types) * [Burp Intruder attack types - PortSwigger - August 19, 2025](https://portswigger.net/burp/documentation/desktop/tools/intruder/configure-attack/attack-types)
* [Detecting and annoying Burp users - Julien Voisin - May 3, 2021](https://dustri.org/b/detecting-and-annoying-burp-users.html) * [Detecting and annoying Burp users - Julien Voisin - May 3, 2021](https://dustri.org/b/detecting-and-annoying-burp-users.html)