DVWA
As their website says :- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. Elaborated :-
DVWA – Damn Vulnerable Web Application
Script kiddies like meJ would be searching and finding info on Exploiting vulnerabilities in web applications , such as SQL injection , XSS-CSS and others and testing them live on websites they find vulnerable .
But the problem here is that all major Web Applications has activity logs and all your code executions and other details including your ip address and other identities gets left there . Check this out
The PHPIDS(Intrusion Detection System) shows that a user from IP 127.0.0.1 has tried to exploit the xss vulnerability .This log available to the admin can cause for serious risks in case of any enquiries . So ,? How to test these attacks safely . There comes DVWA.
It can be used to practice :-
Brute force
Local file Inclusion
Remote file inclusion
SQL injection
Upload script
Command Execution
XSS/CSS
Installation :-
Like every PHP web application , it require a Web server to execute , hence use WAMP or XAMPP
Download XAMPP or WAMP .
Download DVWA from here or direct link – [dvwa.zip].
P.S. check how vulnerable it is :-
Extract the folder DVWA to C:\wamp\www\ or C :\xampp\htdocs\ (select as per your download XAMPP or WAMP )
Open up your browser and go to : – localhost/dvwa/index.php
Give the default username= admin and password=password .
For beginners , change the security level to low and start hunting :)
Tips and tools to start attacks :-
Use Mozilla Firefox. It is good with addons and running scripts.
Tools :-
Brute force – Brutus download
SQL injection – Havij Pro download , Firefox addon –SQL INJECT ME .
XSS – Mozilla firefox addons – XSS ME .
P.S. check how vulnerable it is :-
DVWA can be used on Backtrack linux too. Just copy the files to the “/var/www” directory.
About the Author
Tony Thomas
Infosec Enthusiast, Student
https://www.facebook.com/tonyt4u