Brute Forcing
Sometimes just looking isn't enough
There are several different ways to brute force for a site.

Virtual Host Enumeration

gobuster vhost -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Login Brute Forcing

hydra -l <username> -P <password list> <ip> http-post-form "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -V
hydra -l admin -P top_100.txt http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V
hydra -L users.txt -P passwords.txt https-post-form "/login:username=^USER^&password=^PASS^:Invalid"


CSRF Testing

ZAP Anti CSRF Test Form, can be used to determine if the token is vulnerable
Copy link