DVWA : Brute Force Vulnerability Solution (Low & Medium Security Level)

Hello Everyone!!
I will cover the steps to solve Brute Force challenge in this blog. A Brute Force vulnerability occurs when an application allows an attacker to repeatedly attempt to guess or use different combinations of credentials without any limitation or sufficient protection. The attacker tries all possible combinations until the valid credential is found, which can lead to unauthorized access to the application.

Brute Force — Low Security Level

Login to DVWA application and go to the challenge

Provide any random value in Username & Password input fields and click on the Login button. Application will throw “Username and/or password incorrect.” error message for the invalid credentials.

Capture the login request in Burp Suite tool and send the captured request in the Intruder tab to perform the brute force attack.

We will perform the attack considering both username & password is unknown so payload position in the Intruder tab need to be set for the both input fields and we will select attack type as Cluster bomb so that all possible combination of given username & password will be used by the Intruder -

We can load a list of usernames and passwords for Payload set 1 & Payload set 2 respectively.

Eventually if valid username & password present in the given list, tool will be able to find out the correct credentials. We can figure out the valid credentials by observing change of length value.

Lets try the identified credentials in DVWA challenge page and it can be observed that user is able to login successfully.

Brute Force — Medium Security Level

Change the security level to Medium and then go to the Brute Force challenge again. Follow similar steps and provide random value in the username & password field then use Intruder to attack in these fields.

It has been observed that tool is able to identify the valid credentials again however it will take comparatively more time to get the correct credentials.

Lets try the identified credentials in DVWA challenge page and it can be observed that user is able to login successfully in the Medium security level of challenge.

We can review to source code behind this challenge for both security level as given below —

if( $result && mysqli_num_rows( $result ) == 1 ) {
// Get users details
$row = mysqli_fetch_assoc( $result );
$avatar = $row[“avatar”];
// Login successful
echo “<p>Welcome to the password protected area {$user}</p>”;
echo “<img src=\”{$avatar}\” />”;
}
else {
// Login failed
sleep( 2 );
echo “<pre><br />Username and/or password incorrect.</pre>”;
}

Here, we can notice additional line i.e. sleep(2) in the Medium level which will introduce a delay after each failed login attempt, which slows down automated brute force attack by increasing the time required for each login attempt.

Note: Brute Force attack is not advised in the real world application as it can hamper the application and this blog is for learning purpose.