Hello there,

I was running the following command when attempting to brute-force through a WordPress login page: hydra -L usernames.txt -P passwords.txt [IP-Address] http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^:S=Dashboard'.

Before this, I had set an environment variable HYDRA_PROXY_HTTP (HYDRA_PROXY_HTTP="http://127.0.0.1:8080/"), linking it with my Burp Suite tool.

From Burp Suite proxy, I noticed that many GET requests were being made to /wp-login.php, simultaneously while POST requests with credentials were being sent to the same page. It appeared that for every POST request that was being made, one GET request would be made too.

I had assumed all along that when hydra is running, only POST requests were sent as part of the brute-forcing process. Hence, I would like to ask if there is something that I am doing wrong, or not understanding from the phenomenon (if it is intentionally designed in such a manner, why the need for the 1:1 GET request for every POST request made?).

Also, I noticed that someone else was also experiencing the same issue here. I was unable to find any (plausible) reason for the unwanted GET requests.

The hydra version that I am using is v8.9.1. This is the OS that I am running hydra on: Linux kali 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux.

Thank you for your time and I apologise in advance if it is something silly - this is my first time chaining a proxy with hydra (to observe the requests made by hydra).