.

Damn Vulnerable Web App

<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Jun 09, 2010 9:37 am

Damn Vulnerable Web App

We all know DVL, but i never heard of DVWA. Just came across this one, and cant remember if anybody mentioned it before so here it goes.

some info:
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

the link:
http://www.dvwa.co.uk/

i'm adding this to my personal pentest lab soon, so ill check it out if it is any good, so for this one: no news is good news!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

JollyJokker

Post Wed Jun 09, 2010 10:16 am

Re: Damn Vulnerable Web App

Thanks, I was not aware of its existence. Guess what I am going to try when I get back home after work  ;)
<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Wed Jun 09, 2010 10:54 am

Re: Damn Vulnerable Web App

I believe this is included in the Web Security Dojo Distro.
http://www.mavensecurity.com/web_security_dojo/
http://twitter.com/mikesantillana
eLearnSecurity Team Member.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Jun 09, 2010 11:32 am

Re: Damn Vulnerable Web App

It's actually written by an EHnetter.  It's a great app.  I use it for testing of new security tools all the time.

http://www.ethicalhacker.net/component/ ... ic,3207.0/
~~~~~~~~~~~~~~
Ketchup
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Wed Jun 09, 2010 11:39 am

Re: Damn Vulnerable Web App

Not to hijack the thread, but thought that it's worth mentioning that there is a downloadable ISO image (approx 11.2 MB)  from Badstore which is very easy to set up and configure and is vulnerable to various attacks such as:

Cross Site Scripting (XSS)
SQL Injection
Command Injection
Cookie/Session Poisoning
Parameter/Form Tampering
Buffer Overflow
Directory Traversal/Forceful Browsing
Cookie Snooping
Log Tampering
Error Message Interception
Denial of Service

http://www.badstore.net/downloads/return.htm
All men by nature desire knowledge.

Aristotle
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Thu Jun 10, 2010 2:24 am

Re: Damn Vulnerable Web App

Oh well, never hurts to put something back in the spotlight ;)

thanks for the other additions to this web app. cant wait to expand my pentest lab with those!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Fri Jun 11, 2010 2:06 am

Re: Damn Vulnerable Web App

Like ketchup stated, DVWA is written by the EHNetter Ryan Dewhurst http://twitter.com/ethicalhack3r If I'm correct then EHNet was the first place it was publicly announced. Jason Haddix and Laz3r's Web application lab tutorial provided it the necessary publicity.
<<

JollyJokker

Post Fri Jun 11, 2010 5:55 am

Re: Damn Vulnerable Web App

so, is there a difference between WebGoat and DVWA?
<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Mon Jun 14, 2010 11:08 am

Re: Damn Vulnerable Web App

I believe webgoat is written in java. so in addition to normal attacks(xss, csrf) they have java related attacks like thread race conditions.
http://twitter.com/mikesantillana
eLearnSecurity Team Member.
<<

clanggedin

Newbie
Newbie

Posts: 17

Joined: Thu May 27, 2010 12:51 pm

Post Mon Jun 14, 2010 12:21 pm

Re: Damn Vulnerable Web App

I downloaded DVWA and have been playing with it. I cannot for the life of me get any scripts to run correctly in the 'file upload' portion. Since I have injected php into an image file using gimp and uploaded the gif. I then uploaded a new .htaccess file to allow gif to be executed. I end up getting a syntax error (t-string) on line 373... What's odd is that it doesn't matter what php code I enter or the what image I use either. I get the same error regardless.

Will it not work unless suhosin is disabled? Is there a way to disable suhosin by uploading a .htaccess of php.ini in the folder?

Any clues or insights on what I could do to get a positive result?
<<

clanggedin

Newbie
Newbie

Posts: 17

Joined: Thu May 27, 2010 12:51 pm

Post Tue Jun 15, 2010 12:27 am

Re: Damn Vulnerable Web App

I got it figured out.. My solution even works on the 'high' setting. I didn't have to mess with the .htaccess after all. I'm slowly getting there. :)
<<

chrisadam008

Newbie
Newbie

Posts: 2

Joined: Thu Sep 09, 2010 6:25 am

Post Thu Sep 09, 2010 6:34 am

Re: Damn Vulnerable Web App

DVWA Home Screen

The app does provide some help and tips for accessing some of the basics of each type of attack. It also lets you view the source code as the attacks take place (useful for debugging your XSS and SQL injection attacks). It also gives you three different levels of security for the site. This can show you as well how to prevent these attacks
It’s a great tool if you’re just getting started and need the basics to get the ball rolling. But if you’re experienced at all, you may find this a little boring. It would be nice to see some advanced stuff, but if you’re at that level, you probably don’t need to be playing with apps like these. You’re probably already writing your own.

You can find the latest development files here SVN or grab the latest release version here ZIP.


_________________________________________________________

Want to get-on Google's first page and loads of traffic to your website? Hire a SEO specialist from Ocean Groups seo specialist
<<

newguide

Newbie
Newbie

Posts: 1

Joined: Wed May 04, 2011 12:55 am

Post Wed May 04, 2011 1:29 am

Re: Damn Vulnerable Web App

What’s new?
The vulnerability help page has been improved.
We now display the logged on username along with the vulnerability level and php-ids status.
Blind SQL injection has been implemented.
We now have official documentation.
You can now compare all vulnerable source code in one page with the ‘view all’ button.
The whole theme has been redesigned, including a new great looking logo.
Many bug fixes and small changes throughout the application.



But that’s not all, we have continued the work that Duncan Alderson had done on the 1.0.6 LiveCD, as the LiveCD proved to be a great success. The new LiveCD is not only a vulnerable web application but also a badly configured web server which includes many server misconfiguration.



DVWA 1.0.7 LiveCD specs:

Ubuntu Server 10.04 minimal
XAMPP Linux 1.7.3a (Apache 2.2.14, MySQL 5.1.41, PHP 5.3.1)
WebDav
Fluxbox (optional)
Firefox 3.6.8
Firefox addons include XSS Me, SQL Inject Me, Access Me, Tamper Data, REST Client, HackBar, ShowIP, Useragent Switcher, Firebug, NoScript and more.


The DVWA 1.0.7 LiveCD is designed for the beginner to jump right in to learning web application security or a quick way to demo the severities of a vulnerability to your managers. The great thing about DVWA is its flexibility, whether you want to learn, teach, test or demo, DVWA makes it easy.
Last edited by newguide on Fri Jul 27, 2012 3:04 am, edited 1 time in total.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat May 07, 2011 11:29 am

Re: Damn Vulnerable Web App

There's a great list of similarly vulnerable apps here (if anyone's interested): http://www.irongeek.com/i.php?page=secu ... p-security
The day you stop learning is the day you start becoming obsolete.
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Sat May 07, 2011 12:00 pm

Re: Damn Vulnerable Web App

That's a great list, thanks dynamik! :)
GSEC, eCPPT, Sec+

Return to Links to cool sites.

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software