W3brute: Automatic Web Application Brute Force Attack Tool

W3brute: Automatic Web Application Brute Force Attack Tool


W3brute is an open source pentesting tool that automates attacks directly to the website’s login page. W3brute is also supported for carrying out brute force attacks on all websites.

Disclaimer: Usage of w3brute for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program.

W3brute: Automatic Web Application Brute Force Attack Tool


  • Scanner: support the bruteforce attack process (automatically detects target authentication type, admin page scanner, SQL injection scanner vulnerability).
  • Various attack methods: SQL injection bypass authentication, mixed credentials (username + SQL injection queries).
  • Support: multiple target, google dorking, web interface attacks (web shell, HTTP 401 UNATHORIZED).
  • Create file results brute force attack (CSV, HTML, SQLITE3).
  • Supports custom credentials (username, password, domain), custom HTTP requests (User-Agent, timeout, etc.) .


  • Python 2.6.x/2.7.x
W3brute should work on any platform with Python 2.6.x or 2.7.x.


Clone it form the GitHub repo:

$ git clone https://github.com/aprilahijriyan/w3brute.git

Navigate to the working directory and make it executable:

$ cd w3brute/
$ chmod +x w3brute.py

To start using it, simply run:

$ python w3brute.py

Basic Usage

To list all available options, use -h:

$ python w3brute.py -h
Usage: python w3brute.py [options]

-h, --help Show this help message and exit
-v, --version Show program's version number and exit

this option is used to get or enter a specific target(s).

-t, --target Target URL (e.g. http://www.example.com/admin/login.php)
-l Load target from file (e.g. /path/to/target.txt)
-g Find target(s) with google dork (e.g. inurl:/adm/medsos.php)

this option is used to enter a list of usernames, passwords and domains.
which will be used to find target account / password.

-u, --user Username or FILE (e.g. /path/to/usernames.txt)
-p, --pass Password or FILE (e.g. /path/to/passwords.txt)
-d, --domain Email domain (default gmail.com)

this option is used to connect to target.

--agent HTTP User-Agent header value to send to server
--timeout Socket timeout (default 30)
--retries Limit repeats connection if connection has a problem (default 5)
--delay Waiting time when response connection is problematic (default 3)
--proxy Use a proxy to connect to target (e.g.
--proxy-cred Proxy credentials (e.g. username:password)

this option is used to help you find / get target information

--sqli SQL injection scanner vulnerability
--admin Admin page scanner

this option is used to select attack method to be used.

-sB, --sqli-bypass SQL injection bypass authentication technique
-mC, --mixed-cred Mixed credentials (username + SQL injection query)

Usage Examples:

$ python w3brute.py -t http://www.example.com/admin/login.php
 [INFO] total target: 1
[INFO] #1 url: http://www.example.com/admin/login.php
[INFO] check the target if the target has the potential to attack…
[INFO] search form…
[INFO] detected target has 1 forms
[INFO] try searching for form that goes to the website dashboard…
[INFO] form that goes to the website dashboard is found
[INFO] detecting target authentication type…
[INFO] authentication type: 'email'
[INFO] find parameter(s)…
[INFO] preparing credentials…
[ASK] do you want to add a domain for email? (default 'gmail.com') (Y/n): n
[INFO] adding domain to username…
[INFO] preparing credentials is complete
[INFO] starting attacks…
[INFO] testing account ->…

To look for the admin page, run the following:

$ python w3brute.py -t http://www.example.com/ --admin 
Download Box