DVWA Series #0: What It Is and How to Set It Up
Welcome! This is the beginning of my DVWA code analysis and exploitation walkthrough series.
In this series, we’ll study and break down the code for each vulnerable section, attempt to recreate a patch, and then explore possible exploits for each.
But before that, what exactly is DVWA?
What is DVWA
DVWA (Damn Vulnerable Web Application) is a web application built with PHP/MariaDB.
PHP (Hypertext Preprocessor) is an open-source server-side scripting language mainly used for web development.
MariaDB is a relational Database management system, used to store and organize data.
As a wholly insecure web app, its main goal is to be a safe environment for security professionals to test their skills, web developers to understand the processes of securing a web application, and to aid both students and teachers in learning about web application security in a controlled environment.
It’s also built to include some of the most common web app vulnerabilities with various levels of difficulty, which require different levels of creativity to exploit.
How To Install DVWA
To install DVWA here are some guides for setting it up on linux and windows
Alternatively, you can use DVWA without installing it by running the instance hosted on TryHackMe, though you’ll need to connect to their network to use it.
You can also set it up using Docker. Although I didn’t cover that here, you can search online for how to set up DVWA with Docker on your operating system; it’s one of the safest methods.
Additionally, Kali Linux users can get it running by simply running:
1
2
3
4
sudo apt update
sudo apt install dvwa
# to run it, we'll say:
dvwa-start
DVWA Vulnerabilities We’ll Run Analysis On And Exploit
The following vulnerabilities are what we’ll cover in this series:
- Brute Force: Repeatedly guessing a user’s credentials until one works.
- Command Injection: Executing OS commands through app input.
- CSRF: Tricking a logged in user into performing a request they didn’t intend to.
- File Inclusion: Getting the app to load files it shouldn’t.
- File Upload: Bypassing checks to upload malicious files.
- SQL Injection: Manipulating database queries through user input.
- SQL Injection (Blind): Same idea as above, but with no direct output to confirm the queries work.
- Weak Session IDs: Predicting or brute-forcing session IDs.
- XSS (DOM): Injecting scripts that execute via client-side (DOM) manipulation.
- XSS (Reflected): Injecting a script through user input that the server immediately echoes back into the page without sanitizing it.
- XSS (Stored): Injecting scripts that get saved and run for other users later.
- CSP Bypass: Getting around Content Security Policy restrictions.
- JavaScript Attacks: Exploiting client-side logic flaws.
- Authorisation Bypass: Accessing resources you shouldn’t have access to.
- Open HTTP Redirect: Abusing a redirect to send users somewhere malicious.
- Cryptography: Exploiting weak or improperly implemented encryption.
Why I’m Doing this?
The reason I’m doing this is to strengthen my code analysis skills and gain a deeper understanding of vulnerable code.
This will make it easier to come up with more creative exploits and write better patches for these vulnerabilities. Essentially, it’s about becoming good at writing secure code and identifying insecure coding practices.
So whether you’re here for the exploits, the code analysis, or both, you can join me on this journey and we’ll walk it through together.
Conclusion
DVWA is a vulnerable application designed for learning offensive and defensive web security.
It is highly recommended not to install it on a host connected to the internet or a public network.
With the steps above, you should now have it up and running.
Having done the needful, we can now proceed with the code analysis and exploitation series.
I hope it’ll be fun! See you on the next one.