InfoSecLabs
  • Information Security Labs
  • Cryptography
    • Introduction to OpenSSL/LibreSSL
    • Symmetric cryptography
    • Asymmetric cryptography
    • Hashes and Message Authentication Codes
    • Elliptic Curve Cryptography
    • Diffie-Hellman (DH)
    • Digital Signatures
    • Digital Certificates
    • S/MIME
    • OCSP - Online Certificate Status Protocol
    • SSL/TLS
  • Passwords
    • Understanding and attacking password-based systems
    • THC-Hydra
    • John the Ripper
    • Hashcat
  • Vulnerability Testing
    • Introduction to vulnerability testing
    • Reconnaissance and Footprinting
      • OSINT
      • Maltego
      • Recon-ng
      • theHarvester
      • dmitry
    • Scanning and Enumeration
      • Nmap
      • Hping3
    • Vulnerability Identification and Analysis
      • OpenVAS
        • OpenVAS Architecture
        • Installing OpenVAS on Kali Linux
        • Starting and Stopping OpenVAS
        • Navigating through OpenVAS
        • Scanning a target
      • Nessus
  • Vulnerability Exploitation
    • About the Metasploit Framework
    • Basics of Metasploit Framework
    • Exploitation with Metasploit Framework
      • vsftp Backdoor Vulnerability [CVE-2011-2523]
      • UnrealIRCd backdoor [CVE-2010-2075]
      • distCC RCE [CVE-2004-2687]
      • Java RMI Server Insecure Default Configuration RCE Vulnerability
      • VNC Brute Force Login
      • MySQL / MariaDB Default Credentials (MySQL Protocol)
      • SAMBA (Samba “username map script” Command Execution)
      • Tomcat (Apache Tomcat Manager Application Deployer Authenticated Code Execution)
      • Apache (CGI Argument Injection)
      • Windows Eternalblue [CVE-2017-143,144,145,146,148]
    • Create payload to exploit users
  • Application Security
    • DVWA - Damn Vulnerable Web Application
      • Introduction
      • Setup
      • Web Apps Vulnerability Testing
        • Brute-Force
        • Command Injection
        • File inclusion
        • File upload
        • SQL Injection
        • SQL Injection (Blind)
        • XSS (Reflected)
        • XSS (Stored)
  • Social Engineering
Powered by GitBook
On this page
  • Install DVWA
  • DVWA Security
  1. Application Security
  2. DVWA - Damn Vulnerable Web Application

Setup

PreviousIntroductionNextWeb Apps Vulnerability Testing

Last updated 2 years ago

Install DVWA

After installing and configuring the Apache web server and MySQL database server, it is necessary to install DVWA.

Installation is simple, just unzip the ZIP file containing the application and copy them to the appropriate directory on the Apache Web server. If you choose, you can also use the Linux distribution, called Metasploitable 2, where DVWA (along with other applications) is already installed.

When invoked for the first time it is necessary to install the DVWA database, in MySQL. It may be necessary to edit the config.inc.php file which will be in the "config" folder and configure the username and password to access the MySQL database server.

Default username and password in DVWA are as follows:

  • Login: admin

  • Password: password

DVWA Security

Put the security mode (DVWA Security) of the Web application - DVWA - in "low" mode. This is done only for the sake of simplicity of the very attacks that can be carried out against the application. The higher the security level, the more complex the attacks to be carried out will become.

For the intended effect it is enough. It serves to demonstrate the most basic attacks with little resistance from the application itself. However, it is important to understand the variations between the different security levels to improve the techniques applied. However, the techniques to be applied will be the same, varying only some minor aspects of them.