DVWA Brute Force attack (low-security) with Burp suite

Head to the Brute Force section of the DVWA app.

Start up burpsuite and intercept the login page.

Send the request to intruder.

Use the clear button to remove and set the username and password fields with the add button. Head to the payload position and choose cluster bomb attack (multiple payloads)

Set 2 payloads one for the username and the other for the password.

Here I have used a simple payload list for both fields

Username payload
Password payload

Start the attack and observe the length of the requests. If the length of the request is different from the others head to the request data to view the results.

Credentials found

Head to intercept and change the fields of the username and password and forward the request.

Admin access gained.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s