Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Hydra (http-get-form) + Burp = Missing GET parameters

g0tmi1k Sep 08, 2015 04:39PM UTC

## Issue

* When using `http-get-form` with `HYDRA_PROXY_HTTP` set and using Burp as the proxy, the GET parameters are not being passed on.
* Using other proxies (such as ZAP), or not using a proxy at all, the GET requests are correct. The issue only happens when you use burp.

**Summary**
```
export HYDRA_PROXY_HTTP=http://127.0.0.1:8080
hydra -l admin -p password -e ns -F -t 1 -w 5 -v -V 127.0.0.1 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=value_that_will_never_been_there.:H=Cookie\: security=low; PHPSESSID=incorrect_value"

127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)"
```


## Setup

* OS: `Kali 2.0 x64`
* Proxy: Burp Suite Proxy (Free) - Kali package: `1.6.01-0kali0` & Latest at the time of writing - `burpsuite_free_v1.6.25.jar`
* Hydra: v8.1 (Kali package: `8.1-1~kali1`)
* Target: DVWA v1.8 [6040830] ~ https://github.com/RandomStorm/DVWA


## Test 1 (Without proxy)

**This will be 'sucessful' with it making a request.**

```bash
[root:~]# hydra -l admin -p password -e ns -F -t 1 -w 5 -v -V 127.0.0.1 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=value_that_will_never_been_there.:H=Cookie\: security=low; PHPSESSID=incorrect_value"
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-09-08 17:03:37
[INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
[DATA] max 1 task per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service http-get-form on port 80
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "admin" - 1 of 3 [child 0]
[VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "" - 2 of 3 [child 0]
[VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "password" - 3 of 3 [child 0]
[VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php
[STATUS] attack finished for 127.0.0.1 (waiting for children to complete tests)
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-09-08 17:03:37
[root:~]#




[root:~]# tail -f /var/log/apache2/access.log
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=admin&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)"
```


## Test 2 (With Burp)

![](http://i.imgur.com/D0t2uX0.png)


## Test 3 (With ZAP)

![](http://i.imgur.com/l7vMJdu.png)


Dafydd Stuttard Sep 09, 2015 02:23PM UTC Support Center agent

From a quick look at your logs, it seems that the URL parameters are not being stripped when passing through Burp. Rather, the requests containing the query string are not even being issued at all.

Do you see any error messages in the Burp alerts tab, on the command line from where you launch Burp, or anywhere else, when you run the traffic through Burp?


g0tmi1k Sep 10, 2015 02:04PM UTC
Checking the alerts tab really helped...
Enabling ‘invisible proxy support’ fixes the issue =).

Thanks for the assist!

Dafydd Stuttard Sep 14, 2015 08:21AM UTC Support Center agent

Thanks for the update. It sounds like Hydra isn’t sending standards-compliant HTTP requests in proxy-style format in some situations. Glad you got things workng.


Post Your public answer

Your name
Your email address
Answer