Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
root@bt:/pentest/web/burpsuite# java -jar burpsuite_v1.4.01.jar
Brute-forcing Web Authentication
1. Proxy Tab / History Tab (find the string you want to brute force.) Right click send to Intruder.
2. Intruder Tab Attack type: Sniper.
3. Intruder Tab / Target (Check right) / Positions (Unclear all Auto highlighted areas.) Then high-lite the inputted password and Add$
Example username=admin&password=test&Login=Login HTTP/1.1 Just high-lite the word test and Add.
4. Intruder Tab / Payload set: 1 / Payload type: Simple list / Right copy a word list and click Paste in word list.
5. Top Intruder tab (next to Burp top tool bar) / Start Attack.
6. Attack Window should open. (Watch list been tested and look filter by Length) Look for different Length to the rest as likely to be authentication.
As example while testing all Lengths were 4882 but the working password = 4948 in length. (The only different one)