Brute Forcing a Damn Vulnerable Web Application

Image credit to Pixabay — https://pixabay.com/photos/computer-security-padlock-hacker-1591018/

This article is part of the Damn Vulnerable Web Application (DVWA) practical I writed to complete my journey in the field of cyber security and get anybody who willing to get a brief view about the threat in web application they use. Please be consider not to use the technique in this article on any other websites you don’t owned by nor permission to test for.

There are many tools with brute force feature to consider, but in this article we gonna use the famous graphic user interface based tool so called Burp Suite from PortSwigger. From now on, we simply call it as Burp.

Set of Practical Tools:
Framework: DVWA
Local target URL: http://meta.stb/dvwa/vulnerabilities/brute/
Attacking Tool: Burp, FoxyProxy

I tried to enter a common authentication with a username admin and password admin. It send a GET request like showed up on the URL and returned a failed message bellow the login form.

Now, lets open Burp and activate a proxy to capture data from web request with a web browser plugin called FoxyProxy like here in bellow image.

Now the proxy being activated and lets access the previous URL to send request trough the proxy so we can capture some data and variable within. Make sure the intercept mode is on.
http://meta.stb/dvwa/vulnerabilities/brute/?username=admin&password=admin&Login=Login#

Check out the Burp tab Proxy-intercept, make sure it shows our target URL and sent the data intercepted into intruder tab by pressing CTRL+i

Press Clear button to clear all the payload position and select only password value on our target URL and press Add button. We would attack the password field with a set of password-list like so

admin
secret
test
12345
password

Copy and paste the password set above into the Payload Options box

Then go to option tab and click fetch response button to get HTML code response based on our target URL. Block the response message like bellow and press OK. This message will be our easy guide to determine what is the correct password we found instead of sort the length of returned data.

Press the Start Attack button to begin the Brute Force process and wait until all the password being tested. Like the picture bellow, we got the password in list number 5 with no failed message and different length of compared to the other.

That’s how to do a Brute Force with Burp. We can only do the method if the target login form have no login limitation nor captcha on it. Here are the source of tools we use in this article.

https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
https://portswigger.net/burp
https://dvwa.co.uk/