I know what you are thinking, bruteforce doesn’t work anymore in many cases. However, Blazy is not just another brute-force tool. It can also check for CSRF (Cross Site Request Forgery), Clickjacking, Cloudflare hosts and even for WAF. It’s also multi threading and has very good error detection system.
Installing Blazy
As always, open up a terminal and type;
git clone https://github.com/s0md3v/Blazy
And then install the requirements.
cd Blazy/ pip install -r requirements.txt
Running Blazy
Blazy is python based, so the best way to run it, is;
python blazy.py
***if you have a problem with the installation just type ‘pip install –upgrade html5lib==0.9999999‘***
In the directory you can see 2 .txt files – password.txt and username.txt. These are the default files of Blazy which contains some basic SQL injection parameters to test. If you want your own wordlists you have to download them or create them with wordlist creation tools, such as crunch. Then, simply move the default files from Blazy directory and put your files in it. Rename them as the default files.
Pretty simple interface, type the url of the target and let the tool make all the work for you.
As we can see in our example, blazy found clickjacking and CSRF vulnerabilities in the login page. Also, it loaded the default username and password files, to check for SQL injection. We found that the login page is also vulnerable to sql injection and now we can connect to the site with the results we got.
What Bunny rating does it get?
Blazy is very simple tool to use . You can open many threads to bruteforce against login pages. As I said before, many sites have protection from bruteforce attacks, but blazy can do other things, too. So, I’m giving it 3 out of 5 bunnies.
Want to learn more about ethical hacking?
Do you know of another GitHub related hacking tool?
Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.