Unveiling WebCrack: Automated Bulk Weak‑Password and Universal‑Password Cracking for Web Backends

Tool Overview

WebCrack is a bulk web‑backend weak‑password and universal‑password cracking tool that supports popular CMS such as Discuz, DedeCMS, phpMyAdmin and also works on many custom sites.

Implementation Idea

The workflow mimics manual Burp Suite Intruder testing: capture a request, mark the parameters to brute‑force, send payloads, and compare responses.

Parameter Identification

WebCrack uses the web_pwd_common_crack approach to locate username and password fields by searching for keywords like user , pass , and their pinyin variations (e.g., yonghu , mima ).

Login Success Determination

Two guaranteed‑wrong passwords are sent first; if the response lengths differ, the target is considered non‑deterministic and the scan stops. If the lengths are identical, the length is recorded as a baseline. Subsequent responses are compared to this baseline, while also checking for the presence of login‑page keywords after redirection.

Direct page‑equality checks are avoided because many CMS display a failure dialog without changing the URL.

Recheck Phase

After a potential credential is found, WebCrack resends the request and compares the new error length; a mismatch confirms a correct password. This step reduces false positives caused by WAF‑induced response changes.

Dynamic Dictionary

If the target lacks a domain name, the tool generates a list such as test.webcrack.com, webcrack.com, webcrack, etc., which can be customized with suffixes.

Universal Password Detection

Common universal‑password payloads (e.g., admin' or '1'='1) are tried; detections that trigger WAF blocks are filtered using a blacklist.

Custom Rules

Users can define CMS‑specific rules in a cms.json file, specifying keywords, captcha presence, success/failure flags, and notes. This allows fine‑tuning for obscure or heavily protected sites.

Captcha Handling

Captcha recognition is omitted because it is unreliable and slows scanning; the tool simply aborts when a captcha is detected.

Testing Results

Compared with web_pwd_common_crack, WebCrack discovered 19 vulnerable sites (16 true positives) versus 11 (7 true positives) for the reference tool, including additional universal‑password and dynamic‑dictionary findings.

Conclusion

WebCrack addresses the diversity of web‑backend login mechanisms, handling redirects, error‑length variations, and WAF interference, while offering extensibility through custom rule files.