Ensure Burp and the OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view the OWASP BWA applications.
- From the OWASP BWA Landing page, click the link to the OWASP Mutillidae II application.
- Open the Firefox browser to the login screen of OWASP Mutillidae II. From the top menu, click Login.
- At the login screen, attempt to login five times with username admin and the wrong password of aaaaaa. Notice the application does not react any differently during the five attempts. The application does not change the error message shown, and the admin account is not locked out. This means the login is probably susceptible to brute-force password-guessing attacks:
Let's continue the testing, to brute-force ...