I am a newcomer to the security field, and as a developer, I wanted to test my websites and applications. That's when I came across Hydra. On my website, I tried to perform a brute force attack using a wordlist that contains only my username and password. However, it still doesn't validate. Interestingly, on the website recommended by the Hydra developers for testing purposes, "http://testphp.vulnweb.com," it works correctly. You can find the link to the Hydra repository here: "https://github.com/vanhauser-thc/thc-hydra." I used the following command on the test website:
hydra testphp.vulnweb.com http-form-post "/userinfo.php:uname=^USER^&pass=^PASS^:login page" -L wordlist_user.txt -P wordlist_passvulnweb.txt -V
And on my site, I used the command:
hydra MEUSITE.DIGITAL http-form-post "/index.php:username=^USER^&password=^PASS^:login" -L wordlist_user.txt -P wordlist_pass.txt -V
The /index is the form action, the username is the name attribute of the user input field, and password is the name attribute of the password input field. I just didn't understand how Hydra identifies that the password didn't work.
If anyone can help me, I would greatly appreciate it.
I expected to be able to validate the user and password, as it happened on the website http://testphp.vulnweb.com, but it didn't work on my site!
