InfoSecLabs
  • Information Security Labs
  • Cryptography
    • Introduction to OpenSSL/LibreSSL
    • Symmetric cryptography
    • Asymmetric cryptography
    • Hashes and Message Authentication Codes
    • Elliptic Curve Cryptography
    • Diffie-Hellman (DH)
    • Digital Signatures
    • Digital Certificates
    • S/MIME
    • OCSP - Online Certificate Status Protocol
    • SSL/TLS
  • Passwords
    • Understanding and attacking password-based systems
    • THC-Hydra
    • John the Ripper
    • Hashcat
  • Vulnerability Testing
    • Introduction to vulnerability testing
    • Reconnaissance and Footprinting
      • OSINT
      • Maltego
      • Recon-ng
      • theHarvester
      • dmitry
    • Scanning and Enumeration
      • Nmap
      • Hping3
    • Vulnerability Identification and Analysis
      • OpenVAS
        • OpenVAS Architecture
        • Installing OpenVAS on Kali Linux
        • Starting and Stopping OpenVAS
        • Navigating through OpenVAS
        • Scanning a target
      • Nessus
  • Vulnerability Exploitation
    • About the Metasploit Framework
    • Basics of Metasploit Framework
    • Exploitation with Metasploit Framework
      • vsftp Backdoor Vulnerability [CVE-2011-2523]
      • UnrealIRCd backdoor [CVE-2010-2075]
      • distCC RCE [CVE-2004-2687]
      • Java RMI Server Insecure Default Configuration RCE Vulnerability
      • VNC Brute Force Login
      • MySQL / MariaDB Default Credentials (MySQL Protocol)
      • SAMBA (Samba “username map script” Command Execution)
      • Tomcat (Apache Tomcat Manager Application Deployer Authenticated Code Execution)
      • Apache (CGI Argument Injection)
      • Windows Eternalblue [CVE-2017-143,144,145,146,148]
    • Create payload to exploit users
  • Application Security
    • DVWA - Damn Vulnerable Web Application
      • Introduction
      • Setup
      • Web Apps Vulnerability Testing
        • Brute-Force
        • Command Injection
        • File inclusion
        • File upload
        • SQL Injection
        • SQL Injection (Blind)
        • XSS (Reflected)
        • XSS (Stored)
  • Social Engineering
Powered by GitBook
On this page
  1. Application Security
  2. DVWA - Damn Vulnerable Web Application

Introduction

PreviousDVWA - Damn Vulnerable Web ApplicationNextSetup

Last updated 1 year ago

This document aims to demonstrate a set of Web application security laboratories, based on a set of vulnerability analysis tools and on some PHP exploitation techniques.

For these laboratories will be used an application purposely vulnerable as a way of demonstrating some of the techniques applied. This application is called . The DVWA is a Web application developed in PHP with a MySQL database, which is purposely insecure.

To run these labs the following requirements are needed:

  • Kali Linux, in particular the following tools (although others can also be used):

    • Nikto

    • W3af (note: this tool is no longer supported by Kali Linux)

    • Skipfish

    • Burp Suite

    • OWASP ZAP

    • Metasploit

    • sqlmap

    • Hydra

  • Apache Web Server

  • Database server MySQL.

The goal of these laboratories is even to demonstrate how a Web application can be exploited, and some of these attacks only result in an insecure application, with few security concerns, either in terms of development or configuration.

It is important to emphasize that it is not recommended to apply some of these techniques in real Web applications (spread across the Web), and students should apply them only to laboratories developed for this purpose.

Damn Vulnerable Web Application (DVWA)