DVWA: Damn Vulnerable Web Application

CyberPunk Pentesting Playgrounds
DVWA: Damn Vulnerable Web Application

Introduction

Damn Vulnerable Web Application, shorter DVWA, is a PHP/MySQL web application that is damn vulnerable. The main goal of this pentesting playground is to aid penetration testers and security professionals to test their skills and tools. In addition it can aid web devs better understand how to secure web apps, but also to aid students/teachers to learn all about web app security and possible vulnerabilities.

DVWA (Damn Vulnerable Web Application) Logo
Disclaimer: Authors don’t take responsibility for the way you’ll use this vulnerable web application (DVWA). Do not install DVWA on to live web servers, otherwise you’ll take the responsibility for any damage caused by installing DVWA.

DVWA: Damn Vulnerable Web Application

DVWA is a damn vulnerable web application coded in PHP that uses MySQL database. With this amazing pentesting web app you can practice some of the most common web vulnerabilities (different levels of difficulty) using its very simple GUI. You can play around and try to discover as many issues as possible in order to deepen your knowledge/skill set.

DVWA Attacks:

  • Brute-force
  • Command Injection
  • CSRF
  • File Inclusion
  • File Upload
  • Insecure CAPTCHA
  • SQL Injection / SQL Injection (Blind)
  • Weak Session IDs
  • XSS (DOM)
  • XSS (Reflected)
  • XSS (Stored)
  • CSP Bypass

Requirements:

  • web server (XAMPP as an alternative)
  • PHP
  • MySQL
  • Other possible dependencies (depending on the OS)
WARNING: Do not upload it to your hosting provider’s public html folder or any Internet facing servers, as they will be compromised. It’s recommended to use Virtual Machine (Virtual Box, VMware, etc.).

Install

Linux

Install the dependencies (only Debian-based):

$ sudo apt install apache2 mysql-server php php-mysqli php-gd libapache2-mod-php

Clone the DVWA repo:

$ git clone https://github.com/ethicalhack3r/DVWA

Or download the source:

$ cd /var/www/html
$ wget https://github.com/ethicalhack3r/DVWA/archive/v1.9.zip && unzip v1.9.zip
$ mv DVWA-1.9 /var/www/html/dvwa

If everything goes well, create the database with name DVWA. The next step is to configure config.inc.php file located at /config/config.inc.php. Modify the database credentials within the config.inc.php file. Default variables:

$_DVWA[ 'db_user' ] = 'root'; 
$_DVWA[ 'db_password' ] = 'p@ssw0rd'; 
$_DVWA[ 'db_database' ] = 'dvwa';
Note: If you are on Kali Linux, you’ll need to create a new DB user since MariaDB is default in Kali. 
$ service mysql start
$ mysql -u root -p
 
mysql > create database dvwa;
mysql > CREATE USER 'user'@'127.0.0.1' IDENTIFIED BY 'p@ssword';
mysql > grant all on dvwa.* to 'user'@'127.0.0.1';
mysql > flush privileges;
mysql > exit
 
$ service mysql stop

There is one more, you’ll need to provide reCAPTCHA keys in the config.inc.php file (Click on the “documentation” button below for more details). Don’t forget to restart server and MySQL.

Now browse to the DVWA directory to complete the setup (http://IP_address/DVWA) and click Create / Reset Database:

DVWA (Damn Vulnerable Web Application) Database Setup

If the DB is created successfully, you’ll be redirected to the login screen
(http://IP_address/DVWA/login.php). To login use the default credentials:

  • Default username = admin
  • Default password = password
DVWA (Damn Vulnerable Web Application) Login

That’s it! Now you can play around and test your skills.

DVWA (Damn Vulnerable Web Application) Welcome Screen

Windows

If you don’t have a ready web server, the easiest steps are the following:

  1. Download DVWA
  2. Install XAMPP
  3. Unzip dvwa.zip and place files into public html folder
  4. Browse to http://127.0.0.1/dvwa/setup.php
Documentation Box
Download Box
Brute-ForceCSRFPentestingPHPSQL InjectionXSS