Did you know that you can navigate the posts by swiping left and right?
What’s Damn Vulnerable Web Application (DVWA)?
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
The aim of DVWA is to practice some of the most common web vulnerability, with various difficultly levels, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerability with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
So let’s set it up in our Kali installation!
DVWA needs apache and mysql, and Kali comes with those two installed. So let’s download the source code, start these two services and start the web application:
# Download and unzip DVWA wget https://github.com/ethicalhack3r/DVWA/archive/master.zip -O dvwa.zip unzip dvwa.zip # start apache and mysql service apache2 start service mysql start # Move dvwa to /var/www/html and setup permissions mv DVWA-master /var/www/html/dvwa cd /var/www/html chmod -R 755 dvwa/
Almost done! Now let’s setup your mysql’s password in the DVWA configuration file, so it can create its ‘dvwa’ database:
Now you should be seeing the login page under http://127.0.0.1/dvwa:
In the #redteam series of posts we’ll start with the low-hanging fruits, so don’t forget to set the security level of DVWA to ‘low’, under the ‘DVWA Security’ tab
Don’t forget to always reset the security level to ‘impossible’ and of course you should never expose this web application in a non-private network.