How to bruteforce business and collaboration apps with Hydra and the Password Auditor

Weak authentication in Jira, Confluence, Microsoft Exchange, Adobe ColdFusion, and Oracle WebLogic can expose sensitive corporate data, internal communications, and privileged accounts - an oversight that threatens business continuity and regulatory compliance. Understanding how to correctly identify and remediate issues with weak credentials is essential for preventing unauthorized access, mitigating insider threats, and ensuring data integrity. 

This guide provides a step-by-step breakdown of login endpoint discovery, authentication analysis, and security testing using Hydra and the Password Auditor, giving security teams the knowledge to proactively identify and fix vulnerabilities.

Hydra vs password auditor hero image

How to check Jira for weak credentials

Deployment method: Vultr marketplace

1. Find the web app login endpoint for Jira

Usually, the Jira login form is found at the /login.jsp endpoint .

Jira login form

2. Discover the Jira login parameters

Use the Network tab in Web Developer Tools to identify the parameters.

Jira Web Developer Tools

3. Identify error messages and protection mechanisms

After one invalid attempt, the following message is returned:

Jira login error

After two failed attempts, the CAPTCHA is activated.

Jira login captcha

Hydra commands and output

In the first scenario, we used the following commands:

hydra -l benchmark-user -p bad-password -s 8080 jira.pentest-ground.com http-post-form "/login.jsp:os_username=^USER^&os_password=^PASS^&os_destination=&user_role=&atl_token=&login=Log+In:Sorry, your username and password are incorrect" -I
hydra -l benchmark-user -p tq6nAhfAhqtwBn7WXWqoaMXWF -s 8080 jira.pentest-ground.com http-post-form "/login.jsp:os_username=^USER^&os_password=^PASS^&os_destination=&user_role=&atl_token=&login=Log+In:Sorry, your username and password are incorrect" -I
Jira Hydra output

As you can see from the output, Hydra validly identified both the invalid and the valid credentials.


The following command is what we used for the second scenario, with multiple usernames and passwords:

hydra -L users.txt -P pass.txt -s 8080 jira.pentest-ground.com http-post-form "/login.jsp:os_username=^USER^&os_password=^PASS^&os_destination=&user_role=&atl_token=&login=Log+In:Sorry, your username and password are incorrect" -I
Jira Hydra output multiple credentials

Jira activated the CAPTCHA mechanism during the brute-force attack, preventing Hydra from identifying any valid credentials and causing it to mark all credentials as valid.

Password Auditor commands and results

For the first scenario, these are the parameters we adjusted to perform a more focused scan:


Because the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.


As the screenshot below shows, the Password Auditor successfully identified the valid credentials.

Jira Password Auditor scan results

Additionally, it also provided a screenshot of the logged-in session to confirm the tested credentials are valid.

Password Auditor screenshot of Jira logged-in session

In the second scenario, we only adjusted the wordlist to include 2 users (1 invalid and 1 valid) and 14 passwords (13 invalid and 1 valid).

Jira Password Auditor login captcha

The Password Auditor reported the Jira server activated its CAPTCHA protection. In the Details section, we recommend using the Password Spray attack type or splitting the scan into multiple scans with smaller wordlists.

Jira Password Auditor screenshot of login error

Bruteforce commands and settings for Hydra and the Password Auditor

Since authentication mechanisms across business-critical platforms vary significantly, effective security assessment requires adapting to anti-brute-force protections, such as CAPTCHA challenges, IP blacklisting, session-based restrictions, and temporary lockouts. 

By comparing Hydra’s manual brute-force capabilities with the Password Auditor’s automated credential testing, you’ll learn when to use precision attacks, leverage automation for efficiency, and capture proof of compromise to strengthen security assessments and justify mitigation actions.