Burp Suite User Forum

Create new post


daher | Last updated: Dec 12, 2022 06:54PM UTC

Hey guys i am starting-blocks with burp with brute force méthode login form. I tried to use it on website specialized for vulnérability and it seems to work gréât. When i make a request, burp gave the username and the password field that we can use with the intruder to brute force. However by curiosity and to understand as i am Still à New bien, i tried to see the request on instagram but the websitz does not show username and password on the http login in burp, do yuu know why?

Ben, PortSwigger Agent | Last updated: Dec 13, 2022 01:39PM UTC

Hi Daher, The way that the authentication process is handled is going to be subtly different for each web application that you look at. The deliberately vulnerable apps are also likely to be 'more obvious' in terms of how the authentication process is carried out and, naturally, easier to interfere tamper with. Having a quick look at Instagram, it looks like the supplied username and encrypted password are supplied in a POST request to the /api/v1/web/accounts/login/ajax/ endpoint. If you carry out a search (via the Burp -> Search menu item) for the username that you have supplied during the login process you should be able to identify this request (along with other requests in the sequence).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.