Brute Force Attack Tools Using Python
Python Brute Force Attack Tools
A universal brute force tool with CSRF bypass support for both traditional form-based and JSON API logins.
Features
- Form-based login (traditional HTML forms)
- JSON API login (modern SPA/React/Vue/Angular sites)
- Universal CSRF bypass (hidden inputs, meta tags, cookies, headers)
- Auto-detection of login type, field names, and API endpoints
- Multi-threaded with progress bar
- Color-coded terminal output
Installation
pip install -r requirements.txt
Usage
python3 bruteforce.py
The tool walks you through 3 steps:
Step 1 โ Target Info
You'll be asked for:
- Login page URL โ e.g.
https://example.com/login - Username / email โ the account to test
- Wrong password error message โ log in with a wrong password in your browser, copy the exact error text (check DevTools โ Network โ response body if needed)
Step 2 โ Review & Adjust
The tool auto-detects field names, login mode, and API endpoint by fetching the page. Review what it found and press Enter to accept, or type a new value to override.
Username field name [email]:
Password field name [password]:
API endpoint [https://example.com/api/login]:
Login mode [auto]:
Login mode options: auto (use detected), form (HTML form POST), api (JSON POST).
Step 3 โ Attack Settings
- Workers โ number of concurrent threads (default 10)
- Password file โ path to your wordlist (default
passwords.txt)
Y to begin.
Example
Target login page URL: https://example.com/login
Target username / email: admin
Wrong password error message: Invalid email or password
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ AUTO-DETECTING TARGET โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ [*] Fetching login page... [*] Detecting login type... [+] Detected: JSON API login (modern/SPA site) [+] Username field: email [+] Password field: password [+] API endpoint: https://example.com/api/login [+] CSRF token: csrfmiddlewaretoken [+] Auto-detection complete!
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ RESULTS โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PASSWORD FOUND!
Username admin Password admin123
Finding the Error Message
If you're not sure what to enter for the error message:
- Open the login page in your browser
- Open DevTools (F12) โ Network tab
- Submit a wrong password
- Click the login request โ Response tab
- Copy the exact error text from the response
CSRF Bypass
The tool automatically handles these CSRF protection methods:
| Method | Example | Frameworks | |--------|---------|------------| | Hidden Input | <input type="hidden" name="csrf_token"> | Django, Laravel, Rails | | Meta Tags | <meta name="csrf-token" c> | Rails, Laravel | | Cookies | XSRF-TOKEN cookie | Express, Spring | | Headers | X-CSRFToken header | Django REST Framework | | JavaScript | var csrfToken = "..." | Custom implementations |
Legal Disclaimer
Only use this tool on systems you own or have explicit permission to test.
Unauthorized access to computer systems is illegal. This tool is for:
- Security researchers
- Penetration testers
- CTF players
- Educational purposes
Resources
Contributing
Pull requests are welcome. For major changes, please open an issue first.