To brute force Base64 Authorization HTTP headers using Intruder
- Send the authentication request to Intruder
- Set the Insertion point behind the Authorization type
3. Payloads: Simple list and load your favorite password list
4. Payload Processing
Add two rules
1. Add Prefix
You put the username you want to brute force followed by a colon
2. Base64-encode the payload
Payload Encoding
Disable: If you submit encoded equals signs, you’ll get an error. So be sure to disable it
5. Start Attack
Let it fly and wait for a 200/302 to confirm the correct password