Unknown GET Requests

[sgstudent2019]

Hello there,

I was running the following command when attempting to brute-force through a WordPress login page: hydra -L usernames.txt -P passwords.txt [IP-Address] http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^:S=Dashboard'.

Before this, I had set an environment variable HYDRA_PROXY_HTTP (HYDRA_PROXY_HTTP="http://127.0.0.1:8080/"), linking it with my Burp Suite tool.

From Burp Suite proxy, I noticed that many GET requests were being made to /wp-login.php, simultaneously while POST requests with credentials were being sent to the same page. It appeared that for every POST request that was being made, one GET request would be made too.

I had assumed all along that when hydra is running, only POST requests were sent as part of the brute-forcing process. Hence, I would like to ask if there is something that I am doing wrong, or not understanding from the phenomenon (if it is intentionally designed in such a manner, why the need for the 1:1 GET request for every POST request made?).

Also, I noticed that someone else was also experiencing the same issue here. I was unable to find any (plausible) reason for the unwanted GET requests.

The hydra version that I am using is v8.9.1. This is the OS that I am running hydra on: Linux kali 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux.

Thank you for your time and I apologise in advance if it is something silly - this is my first time chaining a proxy with hydra (to observe the requests made by hydra).

[vanhauser-thc]

The GET request is used to get a current authentication ccokie for the next login attempt. this this answer it?

[ertygiq]

Is there a way to prevent this behavior? As it is unnecessary in some cases and therefore half of the requests sent to server are redundant.

[a3desu]

Probably this might help:

$ hydra -U http-post-form

... {skip} ...

The following parameters are optional:
 (g|G)=              skip pre-requests - only use this when no pre-cookies are required