A Fuzzing Approach to Credentials Discovery using Burp Intruder

Password guessing against web-based applications typically relies on a pattern match of what a 'successful' login response looks like. It may also consider HTML status codes such as looking for a ë200 OK' server response. Armed with this information, the tester is able to begin processing hundreds or thousands of server responses, looking for alerts when the anticipated pattern is detected. But what if you don't know what a 'successful' login response looks like for the application you're testing? Or the server always returns a ë200 OK' response? Or similarly, what if the server responds with a failure for the access you were after, but provides information about another form of access you hadn't known existed? This may not be a 'successful' login, but may still provide you with a wealth of information; some of the failure information itself may also be of particular interest.