Ensure Burp is running, and also ensure that the owaspbwa VM is running and that Burp is configured in the Firefox browser used to view owaspbwa applications.

1. From the owaspbwa landing page, click the link to OWASP Mutillidae II application.
2. Open Firefox browser to the home of OWASP Mutillidae II (URL: http://<your_VM_assigned_IP_address>/mutillidae/).
3. Go to the login page and log in using the username ed and the password pentest.
4. Switch to Burp's Proxy | HTTP history tab, find the login you just performed, right-click, and select Send to Intruder:

5. Go to the Intruder | Positions tab, and clear all the payload markers, using the Clear § button on the right-hand side:

6. Select the password field and click the Add § button to wrap a payload marker around that field:

7. Also, remove the PHPSESSID token. Delete the value present in this token (the content following the equals sign) and leave it blank. This step is very important, because if you happen to leave this token in the requests, you will be unable to see the difference in the timings, since the application will think you are already logged in:

8. Go to the Intruder | Payloads tab. Within the Payload Options [Simple list], we will add some invalid values by using a wordlist from wfuzz containing common passwords: wfuzz | wordlists | other | common_pass.txt:

9. Scroll to the bottom and uncheck the checkbox for Payload Encoding:

10. Click the Start attack button. An attack results table appears. Let the attacks complete. From the attack results table, select Columns and check Response received. Check Response completed to add these columns to the attack results table:

11. Analyze the results provided. Though not obvious on every response, note the delay when an invalid password is used such as administrator. The Response received timing is 156, but the Response completed timing is 166. However, the valid password of pentest (only 302) receives an immediate response: 50 (received), and 50 (completed):