DVWA Brute Force Tutorial (Medium Security)

*** Nothing contained in this article is intended to teach or encourage the use of security tools or methodologies for illegal or unethical purposes. Always act in a responsible manner. Make sure you have written permission from the proper individuals before you use any of the tools or techniques described here.

This tutorial demonstrates how you can complete a brute force attack on DVWA (Damn Vulnerable Web Application) on medium security.

We’re going to jump straight in, so if you haven’t already, I recommend working through the previous tutorial for the low security brute force attack.

Let’s start by running the same Hydra command from the last tutorial and see what happens:

hydra -l admin -P /usr/share/set/src/fasttrack/wordlist.txt http-get-form “dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=Low;PHPSESSID=ahs8eugnukjh9auegathrbfg5"

Note: ensure your PHPSESSID token is correct as this can change over time.

The above attack will still work. But what you should notice is that the attack takes significantly longer then before.

Let’s see what is going on.

The response time for medium security is roughly an additional 2 seconds. Run this a few more times to check the result is consistent and not a once off slow connection. This should confirm there is in fact a delayed response after a failed login.

So, it would appear there is now an additional security measure in place to hinder our attack efforts — all be it a relatively ineffective one.

I will probably come back to this tutorial at a later date to discuss how we can reduce the attack time to make this method more viable.

Happy hacking,


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store