DVWA - Brute Force (High Level) - Anti-CSRF Tokens

This is the final "how to" guide which brute focuses Damn Vulnerable Web Application (DVWA), this time on the high security level. It is an expansion from the "low" level (which is a straightforward HTTP GET form attack). The main login screen shares similar issues (brute force-able and with anti-CSRF tokens). The only other posting is the "medium" security level post (which deals with timing issues).

Brute Force DVWA High Level

For the final time, let's pretend we do not know any credentials for DVWA....

Let's play dumb and brute force DVWA... once and for all!

DVWA - Brute Force (Medium Level) - Time Delay

This post is a "how to" guide for Damn Vulnerable Web Application (DVWA)'s brute force module on the medium security level. It is an expansion from the "low" level (which is a straightforward HTTP GET form attack), and then grows into the "high" security post (which involves CSRF tokens). There is also an additional brute force option on the main login screen (consisting of POST redirects and a incorrect anti-CSRF system).

Brute Force DVWA Medium Level

Once again, let's pretend we do not know any credentials for DVWA.

Let's play dumb and brute force DVWA... again ...again!

DVWA Brute Force (Low Level) - HTTP GET Form [Hydra, Patator, Burp]

This post is a "how to" for the "brute force" module set to "low" level security inside of Damn Vulnerable Web Application (DVWA). There are separate posts for the medium level (time delay) and high setting (CSRF tokens). There is a related post for the login screen as it was also brute forced (HTTP POST form with CSRF tokens).

Brute Force DVWA Low Level

Once more, let's forget the credentials we used to login to DVWA with (admin:password).

Let's not try the default login for the web application.

Let's play dumb and brute force DVWA... again.

DVWA - Main Login Page - Brute Force HTTP POST Form With CSRF Tokens

Upon installing Damn Vulnerable Web Application (DVWA), the first screen will be the main login page. Even though technically this is not a module, why not attack it? DVWA is made up of designed exercises, one of which is a challenge, designed to be to be brute force.

DVWA Login

Let's pretend we did not read the documentation, the message shown on the setup screens, as well as on the homepage of the software when we downloaded the web application.

Let's forget the default login is: admin:password (which is also a very common default login)!

Let's play dumb and brute force it =).

Damn Vulnerable Web Application (DVWA)

This is a SERIES of blog posts, which will all relate to one another, but will take time.

I'm publishing as I go, but will come back and edit them in places at a later date - as well as adding in videos.

Best to check back when there is the "Undocumented" Bugs/Vulnerabilities post (that will be the last post!) ;-).


The following posts will demonstrate various environments, scenarios and setups. This will cover a mixture of Operating Systems (Linux & Windows), range of web servers (Apache, Nginx & IIS), different versions of PHP (v5.4 & v5.6), databases (MySQL & MariaDB) as well as user permissions (inside the services and also the ones running services on the OS itself). DVWA also comes with a (outdated) Web Application Firewall (WAF) called PHP-IDS, which also has its own issues with! Lastly, there are "undocumented" vulnerabilities with DVWA's core which are either hidden bugs and/or unintended issues...

DVWA Logo

Offensive Security Wireless Attacks (WiFu) + Offensive Security Wireless (OSWP)

The views and opinions expressed on this site are those of the author. Any claim, statistic, quote or other representation about a product or service should be verified with the seller, manufacturer or provider.

A few months back, I took Offensive Security's online course WiFu course & exam OSWP, as I had written up a review for PWB/OSCP & CTP/OSCE, I thought I would do this too. As always, everything in this post is both personal comments and my own experience with the course.

Offsec WiFu Box

Cracking the Perimeter (CTP) + Offensive Security Certified Expert (OSCE)

The views and opinions expressed on this site are those of the author. Any claim, statistic, quote or other representation about a product or service should be verified with the seller, manufacturer or provider.

It's been a while (just shy of two years) since I did "Penetration Testing with BackTrack (PWB) & Offensive Security Certified Professional (OSCP)". Over the last couple of weeks I've taken the next step with Offensive Security's training course – "Cracking the Perimeter (CTP)", which, when successfully passed, gives you "Offensive Security Certified Expert (OSCE)" certificate. Below are my thoughts & feelings regarding my overall experience of the course.

Offsec CTP box

pWnOS 2 (PHP Web Application)

This is the second release in the "pWnOS" vulnerable machine collection, however, it has a different creator from the previous one (which explains why it has a different "feel" to it). As always with "boot2root" machines, it has purposely built "issues" allowing for the machine to become compromised, with the end goal being to become the super user, "root". This method uses a vulnerability in a PHP web application (see here for exploiting via SQL injection).

pwnOS Logo

pWnOS 2 (SQL Injection)

This is the second release in the "pWnOS" vulnerable machine collection, however, it has a different creator from the previous one (which explains why it has a different "feel" to it). As before, it has purposely built in "issues" allowing the machine to become compromised. This method uses a SQL injection flaw (see here for exploiting the PHP web application). As always with "boot2root" machines, the end goal is to become the super user, "root".

pwnOS Logo

21LTR - Scene 1

21ltr is another boot2root collection, with its own unique twist. It has various 'issues' with the operating system, which have been purposely put in place to make it vulnerable by design. The end goal is to become the 'super user' of the system (aka 'root'). There is an optional stage afterwards, in which the user can try and find the 'flag', proving (to themselves) that they successfully completed it.

21ltr Logo