DVWA: Damn Vulnerable Web Application Brute Force Walkthrough (Low Security)

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications, and to aid both students & teachers to learn about web application security in a controlled classroom environment.

The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. 

Disclaimer: Authors don’t take responsibility for the way you’ll use this vulnerable web application (DVWA). Do not install DVWA on live web servers, otherwise, you’ll take the responsibility for any damage caused by installing DVWA.

Let's Start Our Tutorial Now

"Disclaimer: The information provided in this article is intended for educational and research purposes only. It is not intended to promote or encourage any illegal or unethical activities. Always act responsibly and obtain proper consent before using any tools or techniques described in this article."

This tutorial demonstrates how you can complete a brute force attack on DVWA (Damn Vulnerable Web Application) on low security.

• Kali Linux

• DVWA

Lab requirements

This tutorial assumes you have set up the required lab environments to run the penetration test. If you need help setting up DVWA, Please comment I will post an article regarding it soon.

Step 1, recon.

Firstly, we must do our homework and understand what is happening when the user submits a form. For instance, is it a GET or POST request? Where is the request going? What data is being sent?

Luckily for us, Kali comes with a powerful tool called Burp Suite. Burp Suite is a huge tool and does a ton of different stuff. For the purpose of this tutorial, we’ll just be focusing on how we can use it for our brute force attack.

Burp Suite is going to act as a proxy server. Essentially, what this means is that we route our requests through Burp Suite — it sits in the middle. This is an oversimplified description, but you get the idea.

HTTP request now:

Our browser -> Target server
Our browser -> Proxy server -> Target server

HTTP request through a proxy:

With Burp Suite sitting in the middle, we can intercept the request from our browser before it reaches the target server. There are several reasons why we would want to do this. In the context of this attack, we are doing it so we can inspect the HTTP request.

Setting up the proxy server

For this to work we need to point our browser to the proxy server, so all requests go through it. So, let's do that. Go ahead and open up Burp Suite.

Click Proxy in the top row of tabs, then select Option. You’ll see the proxy server address.

Kali’s default installed browser is  Mozilla Firefox. Go ahead and open that up, and we’ll point it to our Burp Suite proxy server. In the URL bar type about:preferences, this will take you to the settings (General) page. 

Now, Scroll down to the bottom and find network settings. Click Settings and enter the proxy server address.

With our proxy configured, we’re almost good to go. If you encounter any error while accessing the website, then you need to install Burp's CA certificate in Firefox. To install the certificate visit - here. 

Alternatively, you can use the burp inbuilt browser (chromium).

Head to the  DWA login page now. (eg: http://target.site/dvwa). It will ask for a username and password. The default username is 'admin' and the password is 'password'.

Now login and go to security, and select low. click submit.

Head to the Brute Force page and enable the Burp Suite interceptor.

Inspect the login request

With the interceptor enabled, any requests made from our browser will be stopped by the proxy server. Then we can inspect, modify, drop or forward the request.

Without entering any credentials, hit the login button, and let’s take a look at the request. You should see something like this:

There is some key info here:

• It's a GET request
• The login parameters (username=&password=&Login=Login)
• The cookie (security=low; PHPSESSID=d292dc6ea31b201a110b400d46d7a494)
• With all this info, we can recreate the request and use it in our brute force attack.

Step 2, is the attack.

The attack can be performed from the burp suite however my weapon of choice is  THC Hydra. Hydra can perform rapid dictionary attacks against an authentication service.

Hydra has a bunch of options, to learn more about them just type hydra -h in the terminal for more info and examples.

(if you want to use burp you can read here, how to perform brute force attacks via the burp suite.)

Here’s the info we’re going to provide Hydra for our attack:

• target server
• URL path
• username
• password dictionary
• failure message

For the username, we’re going to cheat a bit and assume we know the username is admin. You can also provide Hydra with a username dictionary, but for now, we’ll just focus on the password.

The failure message is the response we get from the login form when submitting a bad login. It’s just a string that Hydra searches the response HTML for to see if the login succeeded or failed. For instance, the message we get in red under the login form after a bad login attempt is “Username and/or password incorrect.”.

The complete command will look like this:

hydra 10.0.2.5 -l admin -P password.txt http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect."

For the password list, you can use Google/GitHub to find the most commonly used password lists and use them to attack targets.

In action:

The tutorial for brute forcing on medium and high security will follow soon.

If you got stuck or have any questions, leave a comment, and I’ll do my best to get back to you.