Brute forcing forms
As mentioned previously, basic authentication is not recommendable due to its security issues. More common is the use of authentication forms. These authentication forms consist in an HTML or another client technology form, which is passed to a backend where the credentials are processed to determine whether the user has access or not to the resource.
It is important to note that all the processing to determine whether the user is valid or not will be in the backend. Sometimes, it is recommendable to use structure validations in the client side, just to limit the number of incorrect attempts.
Automation with Burp Suite
To execute a brute forcing on a form, we are going to stop the request where the credentials are uploaded to the application, as can be seen in the following code block, where the user is accessing a login section:
POST /api/system/user_login HTTP/1.1 Host: 192.168.1.254 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox...