Configure bruteforce lists

A password bruteforce attack is an attempt to gain unauthorized access to a system or network using a password-cracking technique. You can find out if your web applications are vulnerable to bruteforce attacks by performing password bruteforce tests at scan time. You can configure password bruteforce lists to test passwords during scans.

* Bruteforce Lists are not available to Express Lite users.

How to create a bruteforce list

1) Go to Configuration > Bruteforce Lists > New List.

2) Enter the settings for your bruteforce list. Tip - Turn on help tips in the wizard title bar and you'll see online help when you mouse over the settings.

 - Set up a username/password list.

 - Apply tags to the list (optional).

3) Add your bruteforce list to the option profile you'll apply to your scan. (learn how to manage option profiles)

4) Launch a scan and select the option profile you've configured with your brute force list.

Who can create bruteforce lists?

User roles and permissions determine whether users have WAS Configuration Permissions; there are individual permissions for creating, editing and deleting bruteforce lists and the other WAS configurations. Learn more

Tell me about the password list

These are the usernames and passwords we'll use for bruteforce testing at scan time. You can import username/password pairs in a CSV file or add your list manually. To remove all entries, click Clear all.

Important: Password bruteforcing will be performed during the scan for both form authentication and server-based authentication when QID 150049 is included in the detection scope and when bruteforcing has been enabled under Scan Parameters in the option profile.

Why should I apply tags to the list?

Applying tags to a bruteforce list makes it available to other users. Users with a tag in their scope that matches a tag applied to a bruteforce list will be able to access that bruteforce list.

Want to define tags? It's easy - just go to the Asset Management (CyberSecurity Asset Management (CSAM)) application.

I already have a bruteforce list. How do I edit it?

Go to Configuration > Bruteforce Lists. Hover over the bruteforce list, choose Edit from the Quick Actions menu and use the wizard to edit your bruteforce list. Tip - Turn on help tips in the wizard title bar to view online help for each of the settings.

Tell me about the preview pane

The preview pane appears under the list when you click a bruteforce list row. The preview displays the number of credential entries included in the bruteforce list, the number of option profiles using the list and the last comment added to the list.

Preview pane displaying few details of the selected bruteforce list.