http-post-form with json payload

[tuxerrante]

Hi,
I'm not able to test my website since it is a javascript front-end expecting a json payload through a POST and answering with another json message in case of error.
In my login page there is only a password field to fill, without even a username needed.

The only example I've found on the web is from 2014
https://security.stackexchange.com/questions/57839/hydra-bruteforce-and-json

Do you know a better way to do that?

[gnebbia]

Ok, so a way to tackle this could be the following. I would advice the usage of an HTTP proxy such as OWASP ZAP or Burp Suite to capture the HTTP requests happening when you login and when you are trying to use hydra.

So I would do the following:

1. Capture through the proxy the HTTP request when you login normally from your web browser and save it;
2. Capture through the proxy the HTTP request when you are trying to bruteforce with hydra and save it;
3. At this point you can compare the requests and understand what you are doing wrong with hydra.

I think this could be the first step to understand how we should tune hydra for your specific scenario.

[devlavender]

@gnebbia look, it seems like this user is saying they KNOW what their own website is expecting! Some websites do not expect an application/x-form-url-encoded (whatever-whatever), but a JSON HTTP payload to be sent via POST instead.

It's not necessary to capture the request when you developed the web application and know what it expects.

The question is, actually, how to do it in the tool, since the tool seems to have an application/x-form-url-encoded (whatever-whatever) content-type hardcoded for the request. At least in the code quoted in the linked page, which is from 2014.