Tag Archive for walkthough

DVWA Walkthrough Part 2: Brute Force


The objective of Part 2 of this walkthrough is to brute force the logon mechanism of the Damn Vulnerable Web App (DVWA) in order to obtain a valid username and password of the administrator account. To accomplish this we will use Burp Suite. Before you start make sure you have completed the setup steps in: Burp Suite Tutorial – Part 1: Setup.

In your web browser navigate to http://<IP address>/vulnerabilities/brute/

Next, make sure that “Intercept is on” is enabled and submit the form. Burp will intercept the traffic and display the HTTP request made to the server by your browser. From the Action drop down select “Send to Intruder”.

Screen Shot 2014-11-02 at 8.49.54 PM


Navigate to the Intruder tab. The intruder module is useful for fuzzing specific parameters within a request. The § symbol indicates where Burp will insert it’s payloads into each request.

In this case we want to brute force the username and password arguments. We do not want to brute force the login, PHPSESSID, or security arguments so highlight those and select ‘Clear §’ to remove the placeholders.

Screen Shot 2014-11-02 at 8.50.56 PM

Switch the “Attack type” drop down to Cluster Bomb. This mode will use separate lists to fuzz the username and password arguments and will try all combinations.

Next , select the Payloads tab. For this payload we want to pass in a list of user names. We will use a simple list of usernames in this example.

Screen Shot 2014-11-02 at 8.52.50 PM

Next, select payload 2 from the Payload set drop down. This time we will provide a simple list of passwords to guess.

Screen Shot 2014-11-02 at 8.53.37 PM

Select Intruder > Start attack
Screen Shot 2014-11-02 at 8.53.52 PM

Finally, we can see each request that has been sent to the server, and the combinations of usernames and passwords that we provided.

We can see that the length of the server response in request #1 has changed significantly from the baseline request and other requests. This is interesting and should be investigated. Request #1 has the correct username and password combination. We can validate that we have successfully gained access to the admin account by clicking “Response” > “Render”. Where we are greated with the text “Welcome to the password protected area admin”.

Whenever you are fuzzing with Burp check the Length of the responses as it may be an indication of a weakness.

Screen Shot 2014-11-02 at 8.55.13 PM
Thats it for part 2! You can now see how easy it is to quickly automate HTTP/HTTPS fuzzing using Burp Suite. 

DVWA Walkthrough Part 1: Setup


Damn Vulnerable Web App (DVWA) is an intentionally vulnerable PHP/MySQL web application for penetration testers to use to learn and practice exploiting many types of common web vulnerabilities.


DVWA code is available from http://www.dvwa.co.uk however, there is a preloaded Linux server available from vulnhub.com. The quickest way to get started is to download the .iso file and boot the distro in VMWare or VirtualBox.


Once the .iso is booted you will be presented with a shell. To find out what IP address has been assigned to the machine via DHCP run the ifconfig command.

dvwa@dvwa:~$ ifconfig eth0

eth0      Link encap:Ethernet  HWaddr 00:0c:29:0c:8b:03  
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::20c:29ff:fe0c:8b03/64 Scope:Link
          RX packets:24577 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29040387 (27.6 MiB)  TX bytes:1359164 (1.2 MiB)

Now that we know the IP address browse the web interface:

http://<ip address>/setup.php

Click ‘Create / Reset Database


Next, Click ‘DVWA Security‘ and logon with the default credentials:

username: admin
password: password

Set the security level to low. This is the easiest setting and probably a good place to start if you are a beginner.



For the rest of this walkthrough we will use Burp Suite to assist in finding and exploiting vulnerabilities. Burp Suite comes in free and paid versions. the fee version is fine for our purposes.


Once Burp is installed we want to configure our browser proxy settings to point to Burp. By Default Burp is configured to listen on

In Firefox the proxy settings can be found at: Settings > Advanced > Network > Settings.


Open your browser and browse to the DVWA IP address. If Burp is configured properly you should see the HTTP request within the Proxy > Intercept tab.