WSTG-ATHN-03: Add credential stuffing and distributed brute force testing guidance

[YK-03]

This PR expands the How to Test section of WSTG-ATHN-03 (Testing for Weak Lock Out Mechanism) by adding guidance for testing credential stuffing and distributed brute force attacks.

Modern authentication attacks often rely on credential stuffing using leaked credentials and distributed infrastructure such as botnets or rotating proxy networks. Applications that rely solely on IP-based lockout mechanisms may be vulnerable to these attacks.

What this PR adds

• Guidance on testing credential stuffing scenarios
• Methodology for detecting distributed brute force attempts
• Example authentication request
• Tooling examples (Burp Suite Intruder, Hydra, ffuf)
• Recommendations for evaluating lockout protections against distributed attacks

Why this change is useful

Credential stuffing is one of the most common authentication attack vectors today. Expanding this section helps testers evaluate whether lockout mechanisms are resilient against modern attack patterns rather than only traditional single-source brute force attempts.

[github-actions]

📝 Markdown Linting Issues

Total Errors: 2

document/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism.md

Errors: 2

• Line 43 - MD040/fenced-code-language: Fenced code blocks should have a language specified [Context: "triple-backtick"]
• Line 62 - MD040/fenced-code-language: Fenced code blocks should have a language specified [Context: "triple-backtick"]

---

Please fix these issues before merging. See .markdownlint.json for project style rules.

[kingthorin]

Please be aware that I won't be super active this week or next. If you aren't getting reviews it isn't for lack of appreciation, I'm just busy with some family stuff.