- Intercept a login request in Proxy
- Send to intruder (Ctrl-I)
- Go to Intruder > Positions
- Clear § since Burp Suite selects too many fields by default
- Highlight values that need to be bruteforced and click Add §
- Select brute-force method
- Sniper - if all positions (§) use the same payload set (i.e. wordlist)
- Pitchfork - if there are distinct fields that should be brute-forced separately
- Use Intruder > Options > Grep - Extract for any one-time tokens that differ per request
- Configure payload sets (wordlist for each position) at Intruder > Payloads