Broken brute-force protection, multiple credentials per request

In this lab we want to brute-force "carlos" password and access his account.

As usual, we start by intercepting the login request, but this time the login credentials are submitted in JSON format.

Since we can manipulate this JSON format, there is no need to execute an attack with intruder. All we have to do is send the request to repeater and replace the single string value of the password with an array of strings containing all of the candidate passwords using the command sed -i 's/.*/"&",/' passwords.txt | cat passwords.txt.

Sending this request returns a "302" response code, which means that we managed to login in the website. We can click on "Show response in browser" to navigate to the webpage with the successful login.