Ensure Burp and the OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view the OWASP BWA applications.

1. From the OWASP BWA Landing page, click the link to the OWASP Mutillidae II application.
2. Open the Firefox browser on the login screen of OWASP Mutillidae II. From the top menu, click Login.
3. Find the request you just performed within the Proxy | HTTP history table. Look for the call to the login.php page. Highlight the message, move your cursor into the Raw tab of the Request tab, right-click, and click on Send to Intruder:

4. Switch over to the Intruder | Positions tab, and clear all Burp-defined payload markers by clicking the Clear $ button on the right-hand side.

5. Highlight the value currently stored in the page parameter (login.php), and place a payload marker around it using the Add  § button:

6. Continue to the Intruder | Payloads tab, and select the following wordlist from the wfuzz repository: admin-panels.txt. The location of the wordlist from the GitHub repository follows this folder structure: wfuzz/wordlist/general/admin-panels.txt.

7. Click the Load button within the Payload Options [Simple list] section of the Intruder | Payloads, tab and a popup will display, prompting for the location of your wordlist.
8. Browse to the location where you downloaded the wfuzz repository from GitHub. Continue to search through the wfuzz folder structure (wfuzz/wordlist/general/) until you reach the admin-panels.txt file, and then select the file by clicking Open:

9. Scroll to the bottom and uncheck (by default, it is checked) the option URL-encode these characters:

10. You are now ready to begin the attack. Click the Start attack button at the top right-hand corner of the Intruder | Positions page:

The attack results table will appear. Allow the attacks to complete. There are 137 payloads in the admin-panels.txt wordlist. Sort on the Length column from ascending to descending order, to see which of the payloads hit a web page.

11. Notice the payloads that have larger response lengths. This looks promising!  Perhaps we have stumbled upon some administration pages that may contain fingerprinting information or unauthorized access:

12. Select the first page in the list with the largest length, administrator.php. From the attack results table, look at the Response | Render tab, and notice the page displays the PHP version and the system information: