Penetration Testing ??? Use DVWA ~ ALL IN ONE

Saturday, July 14, 2012

Penetration Testing ??? Use DVWA

at 9:44 AM Posted by Tony Thomas

As their website says :- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. Elaborated :-

DVWA – Damn Vulnerable Web Application

Script kiddies like me :) would be searching for and finding info on Exploiting vulnerabilities in web applications , such as SQL injection , XSS-CSS and others and testing them live on websites they find vulnerable .

But the problem here is that all majorWeb Applications has activity logs and all your code executions and other details including your ip address and other identities gets left there . Check this out :-

The PHPIDS(Intrusion Detection System) shows that a user from IP 127.0.0.1 has tried to exploit the xss vulnerability by running code - "><script>eval(window.name)</script>".This log available to the admin can cause for serious risks in case of any enquiries . So? How to test these attacks safely . There comes DVWA.
It can be used to practice :-

Brute forcce
Local file Inclusion
Remote file inclusion
SQL injection
Upload script
Command Execution
XSS

Installation :-

Like every PHP web application , it require a PHP server to execute , hence use WAMP or XAMPP

· Download XAMPP or WAMP .
· Download DVWA from here or direct link – [dvwa.zip].
· Extract the folder DVWA to C:\wamp\www\ or C :\xampp\htdocs\ (select as per your download XAMPP or WAMP )
· Open up your browser and go to : - localhost/dvwa/index.php
Click on set up New Database.-> Logout
.