Getting Started with Burp Suite
Burp Suite Documentation
Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.
Full Documentation Contents | Burp Projects |
Suite Functions | Burp Tools |
Options | Using Burp Suite |
Burp Extender
Burp Extender lets you extend the functionality of Burp Suite in numerous ways.
Extensions can be written in Java, Python or Ruby.
API documentation | Writing your first Burp Suite extension |
Sample extensions | View community discussions about Extensibility |
Hydra (http-get-form) + Burp = Missing GET parameters
## Issue
* When using `http-get-form` with `HYDRA_PROXY_HTTP` set and using Burp as the proxy, the GET parameters are not being passed on.
* Using other proxies (such as ZAP), or not using a proxy at all, the GET requests are correct. The issue only happens when you use burp.
**Summary**
```
export HYDRA_PROXY_HTTP=http://127.0.0.1:8080
hydra -l admin -p password -e ns -F -t 1 -w 5 -v -V 127.0.0.1 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=value_that_will_never_been_there.:H=Cookie\: security=low; PHPSESSID=incorrect_value"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra Proxy)"
127.0.0.1 - - [08/Sep/2015:17:31:01 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra Proxy)"
```
## Setup
* OS: `Kali 2.0 x64`
* Proxy: Burp Suite Proxy (Free) - Kali package: `1.6.01-0kali0` & Latest at the time of writing - `burpsuite_free_v1.6.25.jar`
* Hydra: v8.1 (Kali package: `8.1-1~kali1`)
* Target: DVWA v1.8 [6040830] ~ https://github.com/RandomStorm/DVWA
## Test 1 (Without proxy)
**This will be 'sucessful' with it making a request.**
```bash
[root:~]# hydra -l admin -p password -e ns -F -t 1 -w 5 -v -V 127.0.0.1 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=value_that_will_never_been_there.:H=Cookie\: security=low; PHPSESSID=incorrect_value"
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2015-09-08 17:03:37
[INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
[DATA] max 1 task per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service http-get-form on port 80
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "admin" - 1 of 3 [child 0]
[VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "" - 2 of 3 [child 0]
[VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "password" - 3 of 3 [child 0]
[VERBOSE] Page redirected to http://127.0.0.1/dvwa/vulnerabilities/brute/../../login.php
[STATUS] attack finished for 127.0.0.1 (waiting for children to complete tests)
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-09-08 17:03:37
[root:~]#
[root:~]# tail -f /var/log/apache2/access.log
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=admin&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/ HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/?username=admin&password=password&Login=Login HTTP/1.0" 302 333 "-" "Mozilla/5.0 (Hydra)"
127.0.0.1 - - [08/Sep/2015:17:03:37 +0100] "GET /dvwa/vulnerabilities/brute/../../login.php HTTP/1.0" 200 1515 "-" "Mozilla/5.0 (Hydra)"
```
## Test 2 (With Burp)

## Test 3 (With ZAP)

From a quick look at your logs, it seems that the URL parameters are not being stripped when passing through Burp. Rather, the requests containing the query string are not even being issued at all.
Do you see any error messages in the Burp alerts tab, on the command line from where you launch Burp, or anywhere else, when you run the traffic through Burp?
Enabling ‘invisible proxy support’ fixes the issue =).
Thanks for the assist!
Thanks for the update. It sounds like Hydra isn’t sending standards-compliant HTTP requests in proxy-style format in some situations. Glad you got things workng.