For this recipe, you will need the common_pass.txt wordlist from wfuzz:
- https://github.com/xmendez/wfuzz
- Path: wordlists | other | common_pass.txt
Using OWASP Mutillidae II, we will determine whether the application provides information leakage based on the response time from forced logins.