📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🧪 DVWA LAB SERIES
FREE
Part of the DVWA Lab Series — 30 Labs
Lab 24 of 30 · 80% complete
⚠️ Authorised Lab Use Only: DVWA Burp Suite Integration Lab uses Burp Suite to intercept, modify, and attack a DVWA installation. Run this exclusively against DVWA on your own local machine or dedicated lab environment. Never use Burp Suite’s active testing features — Intruder, Scanner, or Repeater attacks — against systems you don’t own or have explicit written authorisation to test. Unauthorised interception and manipulation of HTTP traffic is illegal in most jurisdictions.
You’ve been running DVWA and Burp Suite as separate tools. DVWA gives you the vulnerable target. Burp gives you the proxy. Most learners never connect them properly — they type SQL payloads directly in the browser form, get a response, and move on. That’s not how web application security testing works professionally.
The entire point of Burp Suite is that it sits between your browser and the target, giving you complete control over every HTTP request before it leaves your machine. Change parameters, add headers, inject payloads, replay requests hundreds of times with automated payload lists — all without touching the browser form again. When you combine DVWA’s known-vulnerable modules with Burp’s full interception capability, you have a complete professional testing workflow in a controlled environment.
DVWA Burp Suite Integration Lab 24 integrates everything: proxy configuration, request interception, Repeater-based SQL injection, Intruder-based brute force, and Scanner on the full DVWA attack surface. By the end of this lab you’ll run every DVWA module through Burp the way a professional web application tester does.
🎯 What You’ll Master in Lab 24
Configure Burp Suite as a proxy for DVWA — correctly, with HTTPS interception working
Intercept and modify DVWA requests in Burp Proxy before they reach the server
Use Burp Repeater to iterate SQL injection payloads against DVWA SQL module
Use Burp Intruder to automate credential attacks against DVWA Brute Force module
Run Active Scanner across the full DVWA attack surface and triage results
⏱️ 90 min lab · 3 terminal exercises · All Burp Community Edition ### ✅ Prerequisites - DVWA running locally (completed in Lab 1 — DVWA Setup ) - Burp Suite Community Edition installed on Kali Linux (sudo apt install burpsuite) - Firefox browser available (Burp proxy configuration works best with Firefox) - Labs 7–8 complete: SQL Injection Lab and Brute Force Lab — you should understand the manual attack before automating it ### 📋 DVWA Burp Suite Integration Lab 24 – Contents 1. Step 1 — Configure Burp Suite as DVWA Proxy 2. Step 2 — Intercept and Modify DVWA Requests 3. Step 3 — Burp Repeater: SQL Injection on DVWA 4. Step 4 — Burp Intruder: Brute Force on DVWA 5. Step 5 — Active Scanner on Full DVWA Attack Surface 6. Step 6 — Full Professional Workflow: Discover → Scan → Verify → Report ## Step 1 — Configure Burp Suite as DVWA Proxy Get this right first — a misconfigured proxy is the most common reason Burp labs fail. You need three things aligned: Burp listening on 8080, Firefox pointing to 8080, and the Burp CA certificate installed in Firefox for HTTPS interception.
BURP SUITE PROXY SETUP — STEP BY STEPCopy
Step 1: Launch Burp Suite Community Edition
burpsuite &
Or from Applications menu → Web Application Analysis → burpsuite
Step 2: Verify proxy listener (Proxy tab → Options)
Proxy Listener: 127.0.0.1:8080 Running: ✓
If not running: Add → Interface = 127.0.0.1:8080 → OK
Step 3: Configure Firefox proxy
Firefox → Hamburger Menu → Settings → Network Settings → Manual Proxy
HTTP Proxy: 127.0.0.1 Port: 8080
☑ Use this proxy server for all protocols
Step 4: Install Burp CA Certificate (for HTTPS interception)
Firefox → navigate to: http://burpsuite
Download CA Certificate → save burp.der
Firefox → Settings → Privacy → Certificates → View Certificates
Import → select burp.der → ☑ Trust to identify websites → OK
Step 5: Verify interception working
Burp → Proxy → Intercept → turn Intercept ON
Firefox → navigate to http://127.0.0.1/dvwa/
Request appears in Burp Proxy Intercept tab ← success
Click Forward to let it through
securityelites.com
Burp Suite Proxy — Intercepted DVWA Login Request
POST /dvwa/login.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Cookie: PHPSESSID=abc123; security=low
username=admin&password=password&Login=Login
Forward
Drop
Send to Repeater
Send to Intruder
📸 Burp Suite Proxy intercepting a DVWA login POST request. The request is frozen mid-flight — you can modify any parameter before forwarding it to DVWA. Change the password value, add SQL payloads, modify headers, or send the request directly to Repeater or Intruder for further testing. This interception capability is what makes Burp Suite the professional standard for web application testing rather than just a browser with developer tools.
Step 2 — Intercept and Modify DVWA Requests
With Intercept ON, every request from Firefox pauses in Burp before reaching DVWA. This is how you test parameters that aren’t directly editable in the browser form — hidden fields, cookies, custom headers. Change the value, forward it, see what DVWA returns.
INTERCEPTING AND MODIFYING DVWA REQUESTSCopy
Set DVWA security level to Low via Burp (bypassing the form)
- Navigate to DVWA Security page in Firefox
- Enable Intercept → submit Security = Low form
- In Proxy Intercept, modify the POST body: security=low&seclev_submit=Submit
- Forward — DVWA now runs at Low security
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)