Breaking the Application with Shritam Bhowmick – Application Bruteforce Demystified.

Web Form Brute Force Methods

Demonstration by Shritam Bhowmick
Web Application Penetration Tester
Independent Consulting Security Evangelist


This is web application penetration testing challenges hosted over, it reflects several challenges for web application security researchers to break in a safe environment. This is for Lab practice only and no part of this document were provided by the original authors. Having to pull out my old research on application security, I thought to give back to the community but not all releases are meant to be pushed here. This research is part of my private application security research and proudly serves as an opening opportunities for others to dwell and work further on the same as provided and as long as the original authors are credited.


Method 1: Using Hydra to Brute Force Web Logins
Method 2: Using Burp Suite Intruder to Brute Force Web Logins

Method 3: Using Python to break Web-Form Login
Method 4: Using WebSlayer to Brute Force Web Logins
Method 5: Nmap Script Code to break web form
Contact Information.

Continue reading


Web Form Bruteforcing for Web Applications.


This would be yet another post on how to conduct a web form bruteforce attack on a web application using GET method rather than a ‘POST’ request since the application supports ‘GET’ based requests only. This series of research papers on exploitation of targeted web application set up for vulnerability analysis is a series which is conducted for ‘testing’ purposes and for ‘training’.

What’s different with the research?

I have personally went over and deduced ‘several’ ways and just not ‘one’ way to tackle with the web application as a target. This first post and the paper itself will deliver the ‘attack’ using different methods rather than ‘stick’ to one particular method of exploitation. It’s not open to everyone and these papers are being kept private for reasons. Howsoever, this first paper will be public.

What’s not included in the paper?

I have restricted adding additional yet ‘another’ method in the paper for the public domain. This is done to keep the presentation limited to four methods. There are 5 or more possible methods of conducting the same exploitation on the target.

Sample Images of the paper?

Here are some sample images taken from the papers:




Sample 2


Sample 3


What are some of the methods explained?

Some of the methods explained to bruteforce web form login for targeted web applications includes:

  • Exploitation via crunch password and username generated files
  • Exploitation using burp suite Intruder
  • Exploitation using python script for automation
  • Exploitation using Webslayer by feeding generated dictionaries into the tool.

I have redacted discussing more methods in the paper because the paper itself is supposed to be private for different and various specific reason. Those who are being trained under the ‘Web Application Exploitation’ course have the access to these papers and benefit it.

Where this paper could be downloaded from?

Currently this paper could be downloaded from my personal dropbox, any other changes will not be reflected here, and the original paper is updated much sooner than expected. Download link:

I am considering to upload these public papers in various ways, so that if one site goes down, it could be accessible for download via another. This is a part of the series of papers to come along. Some of them would be definitely public . Others won’t be.