A universal brute force tool with CSRF bypass support for both traditional form-based and JSON API logins.
- Form-based login (traditional HTML forms)
- JSON API login (modern SPA/React/Vue/Angular sites)
- Universal CSRF bypass (hidden inputs, meta tags, cookies, headers)
- Auto-detection of login type, field names, and API endpoints
- Multi-threaded with progress bar
- Color-coded terminal output
pip install -r requirements.txtpython3 bruteforce.pyThe tool walks you through 3 steps:
You'll be asked for:
- Login page URL — e.g.
https://example.com/login - Username / email — the account to test
- Wrong password error message — log in with a wrong password in your browser, copy the exact error text (check DevTools → Network → response body if needed)
The tool auto-detects field names, login mode, and API endpoint by fetching the page. Review what it found and press Enter to accept, or type a new value to override.
Username field name [email]:
Password field name [password]:
API endpoint [https://example.com/api/login]:
Login mode [auto]:
Login mode options: auto (use detected), form (HTML form POST), api (JSON POST).
- Workers — number of concurrent threads (default 10)
- Password file — path to your wordlist (default
passwords.txt)
A summary is shown before starting. Confirm with Y to begin.
Target login page URL: https://example.com/login
Target username / email: admin
Wrong password error message: Invalid email or password
──────────────────────────────────────────────────────────
AUTO-DETECTING TARGET
──────────────────────────────────────────────────────────
[*] Fetching login page...
[*] Detecting login type...
[+] Detected: JSON API login (modern/SPA site)
[+] Username field: email
[+] Password field: password
[+] API endpoint: https://example.com/api/login
[+] CSRF token: csrfmiddlewaretoken
[+] Auto-detection complete!
──────────────────────────────────────────────────────────
RESULTS
──────────────────────────────────────────────────────────
PASSWORD FOUND!
Username admin
Password admin123
If you're not sure what to enter for the error message:
- Open the login page in your browser
- Open DevTools (F12) → Network tab
- Submit a wrong password
- Click the login request → Response tab
- Copy the exact error text from the response
The tool automatically handles these CSRF protection methods:
| Method | Example | Frameworks |
|---|---|---|
| Hidden Input | <input type="hidden" name="csrf_token"> |
Django, Laravel, Rails |
| Meta Tags | <meta name="csrf-token" content="..."> |
Rails, Laravel |
| Cookies | XSRF-TOKEN cookie |
Express, Spring |
| Headers | X-CSRFToken header |
Django REST Framework |
| JavaScript | var csrfToken = "..." |
Custom implementations |
Only use this tool on systems you own or have explicit permission to test.
Unauthorized access to computer systems is illegal. This tool is for:
- Security researchers
- Penetration testers
- CTF players
- Educational purposes
Pull requests are welcome. For major changes, please open an issue first.