Penetration Testing

DVWA Brute Force | Penetration Testing | Burp Suite

DVWA Brute Force with Burp Suite Tutorial - Learn how to BruteForce DVWA Lab - With the low, medium, and high levels security

DVWA Brute Force – In this tutorial, I will show you how to overcome low, medium and strong levels of brute force challenge within DVWA (Dame Vulnerable Web App).

If you want to follow and do not yet have a DVWA setup, check out this DVWA Risk Server Setup tutorial. This will use to set up a virtual machine that is vulnerable and install a DVWA. I have used this as the basis for all my web hacking lessons in Hemps Tutorials.

he The problem is that Tamper Data no longer works in Firefox, this is because they have switched to a new framework for developing Firefox extensions. This means we will have to use something else as a proxy and host our web applications.

The best alternative to Tamper Data is to use Burp Suite as our representative to scan the web applications we need to build our hydra command.

Also_Read : How to Create Free Windows RDP VPS | Easy Method | Azure Sandbox

None of the material in this article is intended to educate or facilitate the use of protective equipment or methods for any illicit or illegal purposes. Always act honestly. Make sure you have written permission from the right people before using any of the tools or techniques described here.


Lab Requirements :

    • Any OS (Linux)
    • DVWA Web Server
    • BurpSuite


Video Hindi 



Setting up the Proxy Server :

Burp Suite will work as a hosting server. In fact, this means that our applications use Burp Suite – it stays in the middle. This is a very simple explanation, but you get the idea. If you would like to learn more about hosting servers, here is what you are learning.

HTTP request now:
Our Browser -> Targeted server (DVWA)

HTTP request by proxy:
Our Browser -> Proxy Server (BurpSuite) -> Targeted Server (DVWA)

Since Burp Suite is centrally located, we may terminate a request from our browser before accessing the targeted server. There are many reasons why we might want to do this. In the context of this attack we are doing so in order to test the HTTP request.

For this to work we need to point our browser to the proxy server, so that all requests can go through it. So, let’s do that. Continue to open the Burp Suite. DVWA Brute Force

Open the Burp Suite, once the Burp is loaded, click the Proxy tab and Options and make sure you have a proxy listener setting.

Kali’s default installed browser is Ice Weasel. Go ahead and open that, and we’ll redirect you to our Burp Suite proxy server. In the url type type about:preferences, this will take you to the settings page. On the left select Advanced, on the right tab select Network. Click Settings and enter the host server address.

Browser Settings > General > Network Settings 


Staet Brute Force Attack (Low/Medium) Security


Also Read : How to Install DVWA in Linux & Android

Also_Read : How to Install BurpSuite Professional (Pro) Latest Version for Free

Also Read : How to Install Burpsuite on Linux & Android Termux Devices

Step 1:  BurpSuite and connect to the porxy server Turn Intercept On Within Burp Suite move across to the Porxy > intercept tab and make sure the Intercept button is on

Now that all the representative is ready we need to apply on the DVWA Brute Force page. You use any Random username and Password Enter and click the login button. input field typing any character and then click enter

Our application was filmed in the burp suite right click on your burp suite and submit a brute force attack request

Step 2 :  Right Click and Click on Send To Intruder.

Now go to Intruder

Now of our entire selected all field click the clear button [ right site middle clear button ]

we change our Attack Collection mode bomb for username field and double-click your username and click the add button

The second step is to add our password field now and double-click the password field and click the add button

Choose Attack Type Attack Type : Cluster Bomb

Go to Payload tab and setup payloads. see image file our username and password field selected go to the payloads section and import your username password wordlist.

Username Wordlist Add :

Payload Set :( 1= you username field )

Payload Type: Runtime file ( this add wordlist file )

Click Select file and choose username.txt file

The next step is to add a password field name list to change our upload setup now select 2 fields and Upload our password list.

Password Wordlist Add :

Payload Set : 2  ( 2= you password field )

Payload Type: Runtime file ( this add wordlist file )

Click Select file and choose password.txt file


Step 3 : Click on Start Attack ( Right site up ).

After finishing our payloads we now finding our. correct password double click the Length button and see the different lengths of our first table.

to check the username and password select our first field and the toggle button and click the Render page.


We see a unique message Welcome to a password protected environment Our Bruteforce level is complete.

Also_Read : What Is Carding & How to learn carding?


Hello, I'm SUMAN from India. I’m currently working on Cyber Ethical Hacking. I’m currently learning more about Hacking, Web Design, Android ROM, Mod Hacking App
Notify of
Inline Feedbacks
View all comments
Back to top button
Would love your thoughts, please comment.x