Bruteforce dynamic web applications with Selenium
Project description
Bruty
Bruteforce dynamic web applications with Selenium.
Installing
pip install bruty
It's assumed that you've got installed Chromium under /usr/bin/chromium and
that the
chromedriver
of the same version is found in your PATH.
Usage
If you want to content from the https://fake.web website that is not found by crawlers, you can create a list of uris in a file such as:
admin
wp-login
Then run:
bruty https://fake.web -f uris.txt
If you don't want to wait until the command ends to see the results use the -v
flag.
Fake 404 pages
Some sites return a 200 status code for the 404, if it's your case, inspect the
code of one of them and create a regular expression to catch them, imagine it's
404 error.
To test that it works run bruty against two urls, one that exists and another
that returns the fake 404, making sure that only the existent one is printed.
bruty https://fake.web -u index.html -u fake_404.html -n '404 error'
Once you know it works, run it against all the uris:
bruty https://fake.web -f uris.txt -n '404 error'
Untrusted return codes
Some websites use the 200 status code when they should use 404 or even 30X. Use
the -i flag to ignore the checking of the status code. It should be used with
the -n flag to tell the right urls from the wrong.
bruty https://fake.web -f uris.txt -i -n '404 error'
Contributing
For guidance on setting up a development environment, and how to make a contribution to bruty, see Contributing to bruty.
License
GPLv3
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
