Login SQLi / Brute Force
WAF Test: Try SQL injection payloads in the username/password fields.
The WAF should block requests containing SQLi patterns before they reach this server.
Rate Limiting Test: Submit the form rapidly to trigger rate limiting rules.
Valid accounts: admin/admin123 · user/password · demo/demo