Burp Suite, the leading toolkit for web application security testing

Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Hydra (http-get-form) + Burp = Missing GET parameters

g0tmi1k Sep 08, 2015 04:39PM UTC

## Issue

* When using `http-get-form` with `HYDRA_PROXY_HTTP` set and using Burp as the proxy, the GET parameters are not being passed on.
* Using other proxies (such as ZAP), or not using a proxy at all, the GET requests are correct. The issue only happens when you use burp.

**Summary**
```
export HYDRA_PROXY_HTTP=http://127.0.0.1:8080
hydra -l admin -p password -e ns -F -t 1 -w 5 -v -V 127.0.0.1 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=value_that_will_never_been_there.:H=Cookie\: security=low; PHPSESSID=incorrect_value"

127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)"
```


## Setup

* OS: `Kali 2.0 x64`
* Proxy: Burp Suite Proxy (Free) - Kali package: `1.6.01-0kali0` & Latest at the time of writing - `burpsuite_free_v1.6.25.jar`
* Hydra: v8.1 (Kali package: `8.1-1~kali1`)
* Target: DVWA v1.8 [6040830] ~ https://github.com/RandomStorm/DVWA


## Test 1 (Without proxy)

**This will be 'sucessful' with it making a request.**

```bash
[root:~]# hydra -l admin -p password -e ns -F -t 1 -w 5 -v -V 127.0.0.1 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=value_that_will_never_been_there.:H=Cookie\: security=low; PHPSESSID=incorrect_value"
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-09-08 17:03:37
[INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
[DATA] max 1 task per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service http-get-form on port 80
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "admin" - 1 of 3 [child 0]
[VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "" - 2 of 3 [child 0]
[VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "password" - 3 of 3 [child 0]
[VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php
[STATUS] attack finished for 127.0.0.1 (waiting for children to complete tests)
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-09-08 17:03:37
[root:~]#




[root:~]# tail -f /var/log/apache2/access.log
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=admin&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)"
```


## Test 2 (With Burp)

![](http://i.imgur.com/D0t2uX0.png)


## Test 3 (With ZAP)

![](http://i.imgur.com/l7vMJdu.png)


Dafydd Stuttard Sep 09, 2015 02:23PM UTC Support Center agent

From a quick look at your logs, it seems that the URL parameters are not being stripped when passing through Burp. Rather, the requests containing the query string are not even being issued at all.

Do you see any error messages in the Burp alerts tab, on the command line from where you launch Burp, or anywhere else, when you run the traffic through Burp?


g0tmi1k Sep 10, 2015 02:04PM UTC
Checking the alerts tab really helped...
Enabling ‘invisible proxy support’ fixes the issue =).

Thanks for the assist!

Dafydd Stuttard Sep 14, 2015 08:21AM UTC Support Center agent

Thanks for the update. It sounds like Hydra isn’t sending standards-compliant HTTP requests in proxy-style format in some situations. Glad you got things workng.


Post Your Public Answer

Your name
Your email address
Answer
support@portswigger.net
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete

Copyright © 2016 PortSwigger Ltd. All rights reserved. Customer service software powered by Desk.com.