Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn defenseless.
Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Attacks Covered in DVWA
- Brute Force
- Command Execution
- File Inclusion
- SQL Injection
- SQL Injection (Blind)
- Shell Uploading
- XSS ( Reflected )
- XSS ( Stored)
Benefits of DVWA –
- Hacking anything without the permission is a Crime. So as a student or beginners from where you got this permission so you can use this. For advanced users to sharpen their skill DVWA is the best platform.
- In DVWA you do not have to take permission from others, you can simply install this in a virtual environment and start using it.
- It is very simple to install.
- This is the best place to do hacking.
- In fact, this is running in your local environment and it is totally legal.
As well as being vulnerable, DVWA has some other features which aid in the teaching or learning of web application security. DVWAs Security features can be divided into two parts, one is the security levels and the other is PHP-IDS.
The security levels are named low, medium, high and impossible. Each level changes the vulnerability state of DVWA throughout the application. By default when DVWA is loaded the security level is set to Impossible.
PHP-IDS is a popular PHP Intrusion Detection System (IDS) also known as a Web Application Firewall (WAF). PHP-IDS works by filtering any user supplied input against a blacklist of potentially malicious code. PHP-IDS is used in DVWA to serve as a live example of how WAFs can help improve security in web applications and in some cases how WAFs can be circumvented.
There is also more Vulnerable machine available like bWAPP, Mutillidae, Metasplotiable you can also try these.
The first step is to download the source code of DVWA application from one of the best open source repository database i.e. Github by typing the following command in your terminal:
Command: git clone https://github.com/ethicalhack3r/DVWA
Note: Make sure that, you must download the above package of DVWA inside /var/www/html directory.
Next, you need to rename the DVWA’s configuration file located at /config directory from config.inc.php.dist to config.inc.php as shown below:
Command: cd DVWA/config
Command: mv config.inc.php.dist config.inc.php
And give 777 permissions to main DVWA directory by typing “chmod -R 777 DVWA/”
In this step, you need to run a couple of commands for creating a database and user.
Before to login into MySQL console, make sure that your MySQL service must be started (service mysql start)
To Login into MySQL, the command is:
Command: mysql -u root -p
And then run the following commands inside MySQL console which creates a new database named as dvwa and user email@example.com with password pass:
Command: CREATE DATABASE dvwa;
Command: CREATE USER ‘user’@’127.0.0.1’ IDENTIFIED BY ‘pass’;
Command: GRANT ALL ON dvwa.* TO ‘user’@’127.0.0.1’;
Command: FLUSH PRIVILEGES;
Furthermore, you need to edit your DVWA configuration file (located at /config/config.inc.php) and edit the details as per below screenshot.
Next, the mandatory thing to run DVWA is a PHP-GD module which is necessary for this application and can be installed via apt-get install php-gd.
You also need to do a last change in php.ini file (located at /etc/php/7.2/apache2/php.ini) with the following changes:
allow_url_fopen = On
allow_url_include = On
And at the end, Start your apache server by typing “service apache2 start”
Access your local machine IP in your browser (http://192.168.20.137/DVWA) and login with default credentials which are:
Username – admin
Password – password
After that, you can see that it satisfies all the conditions which DVWA needs.
When everything goes right, simply click on “Create/Reset Database” which automatically installs DVWA application.
The below screen is the output, when you click on “Create/Reset Database” button.
And last, set your security level to “low“, “medium“, “high” or “b”.
The low setting mimics a vulnerable web application, while the high setting mimics a secure web application. In order to identify the vulnerabilities in a web application, you must be attacking a vulnerable system.
DVWA can be used in a variety of ways.
- It can be used to teach web application security by showing practical examples and setting challenges for the students.
- It can be used as just a learning aid, DVWA is designed as such to be as easy as possible to set up and use.
- There is plenty of information within DVWA to help the beginner get started. DVWA can also be used as a reference to secure coding, if a developer is not quite sure if they have protected their application against XSS for example, they can view DVWAs source code as a reference.
- After all the DVWA source code has been peer reviewed by thousands of security professionals and students.