Brute forcing web applications' passwords
Here, we will use the same two apps that we have been using, so let's go directly to the steps, as follows:
- Go to Burp Suite and make sure that Intercept is OFF.
- Go to DVWA and select Brute force from the left menu.
- Type
adminas Username and12345as Password (do not click on Login yet). - Go back to Burp Suite and set Intercept to ON.
- Now, you should be able to see all data sent, including the Username and Password values typed.
- Click on the button that says Action on the top menu and then select Sent to Intruder, as shown in the following screenshot:
Figure 12.25 – Action menu on Burp Suite
- Now, you should see that the Intruder menu is now highlighted in red, so go and click on Intruder in the top menu, as shown in the following screenshot:
Figure 12.26 – Intruder menu
- Go to Positions on the top menu. There, you can see the parameters or variables that we are going to use in our payloads...
