EH-Net

We all know DVL, but i never heard of DVWA. Just came across this one, and cant remember if anybody mentioned it before so here it goes.

some info:
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

the link:
http://www.dvwa.co.uk/ (http://www.dvwa.co.uk/)

i'm adding this to my personal pentest lab soon, so ill check it out if it is any good, so for this one: no news is good news!

Thanks, I was not aware of its existence. Guess what I am going to try when I get back home after work  ;)

I believe this is included in the Web Security Dojo Distro.
http://www.mavensecurity.com/web_security_dojo/

It's actually written by an EHnetter.   It's a great app.   I use it for testing of new security tools all the time.

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,3207.0/

Not to hijack the thread, but thought that it's worth mentioning that there is a downloadable ISO image (approx 11.2 MB)  from Badstore which is very easy to set up and configure and is vulnerable to various attacks such as:

Cross Site Scripting (XSS)
SQL Injection
Command Injection
Cookie/Session Poisoning
Parameter/Form Tampering
Buffer Overflow
Directory Traversal/Forceful Browsing
Cookie Snooping
Log Tampering
Error Message Interception
Denial of Service

http://www.badstore.net/downloads/return.htm

Oh well, never hurts to put something back in the spotlight ;)

thanks for the other additions to this web app. cant wait to expand my pentest lab with those!

Like ketchup stated, DVWA is written by the EHNetter Ryan Dewhurst http://twitter.com/ethicalhack3r If I'm correct then EHNet was the first place it was publicly announced. Jason Haddix and Laz3r's Web application lab tutorial provided it the necessary publicity.

so, is there a difference between WebGoat and DVWA?

I believe webgoat is written in java. so in addition to normal attacks(xss, csrf) they have java related attacks like thread race conditions.

I downloaded DVWA and have been playing with it. I cannot for the life of me get any scripts to run correctly in the 'file upload' portion. Since I have injected php into an image file using gimp and uploaded the gif. I then uploaded a new .htaccess file to allow gif to be executed. I end up getting a syntax error (t-string) on line 373... What's odd is that it doesn't matter what php code I enter or the what image I use either. I get the same error regardless.

Will it not work unless suhosin is disabled? Is there a way to disable suhosin by uploading a .htaccess of php.ini in the folder?

Any clues or insights on what I could do to get a positive result?

I got it figured out.. My solution even works on the 'high' setting. I didn't have to mess with the .htaccess after all. I'm slowly getting there. :)

DVWA Home Screen

The app does provide some help and tips for accessing some of the basics of each type of attack. It also lets you view the source code as the attacks take place (useful for debugging your XSS and SQL injection attacks). It also gives you three different levels of security for the site. This can show you as well how to prevent these attacks
It’s a great tool if you’re just getting started and need the basics to get the ball rolling. But if you’re experienced at all, you may find this a little boring. It would be nice to see some advanced stuff, but if you’re at that level, you probably don’t need to be playing with apps like these. You’re probably already writing your own.

You can find the latest development files here SVN or grab the latest release version here ZIP.


_________________________________________________________

Want to get-on Google's first page and loads of traffic to your website? Hire a SEO specialist from Ocean Groups  seo specialist  (http://oceangroups.org/)

What’s new?
The vulnerability help page has been improved.
We now display the logged on username along with the vulnerability level and php-ids status.
Blind SQL injection has been implemented.
We now have official documentation.
You can now compare all vulnerable source code in one page with the ‘view all’ button.
The whole theme has been redesigned, including a new great looking logo.
Many bug fixes and small changes throughout the application.



But that’s not all, we have continued the work that Duncan Alderson had done on the 1.0.6 LiveCD, as the LiveCD proved to be a great success. The new LiveCD is not only a vulnerable web application but also a badly configured web server which includes many server misconfiguration.



DVWA 1.0.7 LiveCD specs:

Ubuntu Server 10.04 minimal
XAMPP Linux 1.7.3a (Apache 2.2.14, MySQL 5.1.41, PHP 5.3.1)
WebDav
Fluxbox (optional)
Firefox 3.6.8
Firefox addons include XSS Me, SQL Inject Me, Access Me, Tamper Data, REST Client, HackBar, ShowIP, Useragent Switcher, Firebug, NoScript and more.


The DVWA 1.0.7 LiveCD is designed for the beginner to jump right in to learning web application security or a quick way to demo the severities of a vulnerability to your managers. The great thing about DVWA is its flexibility, whether you want to learn, teach, test or demo, DVWA makes it easy.

There's a great list of similarly vulnerable apps here (if anyone's interested): http://www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security

That's a great list, thanks dynamik! :)