⛏️ Write a test to bruteforce password of a user

[aktoboy]

💭 Introduction:
We want to test whether an attacker can guess the password of an user via brute force.

🎯 Requirements:
This test should run on api which is used to login.
The test should correctly detect whether the api is vulnerable to brute force attack.

✅ Task summary:

• Ask to be assigned to the issue.
• Wait to be assigned. We will try to assign in less than 2 hours.
• Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
• Fork the akto repo, create a new branch.
• Create a new Java class BruteforcePassword which will contain the main logic related to the test in akto>apps>testing>src>main>java>com>akto>rules package. This class will extend TestPlugin class and you will need to override the start method. This method will contain the logic to filter the stored apis for which this test will be executed. Consider only login related apis taking in username as a parameter in the request body and the stored responses should have a 2XX status code. Take a look at PageSizeDosTest.java for reference.
• Once we have apis which have cleared our filtering criteria, we should execute the yaml created previously by creating an object of FuzzingTest class and then calling FuzzingTest's runNucleiTest method.
• We will need to create a new subcategory for the newly added test in GlobalEnums.java file's TestSubcategory enum where we will describe the new test we are adding.
• Now we just need to call this test whenever user triggers testing. For this we need to create a object of the BruteforcePassword class in TestExecutor.java file and then pass this object to the runTest method.
• Write unit tests to test your changes.
• Submit both the PRs here.

✌🏻 Hints:
You can build the yaml template by referring this link
You can refer the PR here for changes to be done in akto repo: link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

[roshhni97]

@aktoboy I would like to work on this issue please assign it to me.

[Ankita28g]

Thanks for your interest 🎉 @Roshani9731

Assigning to you! Happy hackfesting 🥳 @aktoboy will help you here.

[aktoboy]

Hey @Roshani9731, let me know if you need any help with this issue.

[aktoboy]

Hey @Roshani9731, I have updated the issue description with more details. Please go through the updated description. Let me know if you need any help. Happy hackfesting!!!

[Ankita28g]

Hi @Roshani9731 are you still working on this?

[Ankita28g]

Hi @Roshani9731 thanks for your submission in Hackfest. 🔥 We are reviewing your work. Do these two below:

Join this group on discord for discussions around prizes? 🚀 🏆
Please fill this form your PR to be considered for prizes!

[piyushpandey2000]

Is this still open?

[Ankita28g]

Yes

[iligeoili]

If this is still open can i work on it ?

[ankush-jain-akto]

Hi @iligeoili - this issue is still open. Would be glad if you can contribute here. 😃

[SanchitMahajan236]

Hey !! Can you please assign me this issue ? I am willing to contribute.

[avneesh-akto]

I've assigned it to you, @SanchitMahajan236 . Happy hacking! Feel free to join our Discord if you need assistance.

[KabirSinghShekhawat]

Is this issue still open 🙂