Testing weak credentials on web application or devices that use web form authentication is a very common and popular thing to do during pentests. A lot of times, you'll come across a device and the only way to interact with the device is via the web interface. A web interface that commonly requires authentication via submitted form fields.
I decided I wanted to write my own bruteforcer for a Synology NAS I happen to have on hand. Now people commonly suggest using Nokogiri to interact and parse webpages. Thats all fine and dandy for the simpler/more straightforward webcode, but when you start getting into web2.0 stuff or if you just dont want to deal with it, I've found that Mechanize helps tremendously.
Below is the final code i came up with. It's fairly simple. It takes in a file called "passlist.txt" which will be the password dictionary file, and for every password in that file it will attempt a login to the login webpage. It will detect the returned response body for a success or failure. (this is mainly meant as a PoC, not as a tool)
Running the script yields the following output:
Failure with admin
SUCCESSFUL LOGIN WITH yoloswag
Failure with kittens
Again, this is not meant to be fancy/groundbreaking/or anything other than some code to copy and paste if you need to.
(There are a variety of tools that will do the same thing or a very similar attack much faster than this, such as hydra/medusa/burp/etc.)