DVWA is designed for both security professionals and those wishing to train or wishing to learn more about Web attacks, attacks to test techniques in a legal environment.
The main objectives of DVWA
Learn to identify vulnerabilities in websites and web applications,
Test the operating and intrusion techniques,
Learn correction methods to better secure systems.
The flaws available in the DVWA web application.
Brute force attack
Command execution via shell_exec PHP
CSRF attacks
Include Faille
SQL Injection Attacks
Faille upload
XSS attacks
Installing Damn Vulnerable Web App
First, download the application at Sourceforge, and then place the Dvwa folder in your web server or WAMP XAM or Esayphp.
Launch the application on localhost http://127.0.0.1/dvwa/index.php. An installer will allow you to install a few clicks.
The login application is: admin and the password: password
To install the database, just click on Setup in the main menu, then click "Create / Reset Database".
How to practice some attacks on DVWA?
The DVWA application contains three difficulty levels: Easy, medium and difficult.
I recommend that you choose the easy level to begin with, so as not to get discouraged. Of course, you can move to the next levels thereafter, but it is best to start intelligently.
In the operation of a fault, you will have some human qualities to succeed: patience, perseverance and discretion. It is a stage where you have to manage those computer skills, and I weigh my words. :)
Note: To change the difficulty level, click "DVWA Security" and choose the level you need.
XSS attack DVWA
To familiarize and train to the tool, we will start the implementation of a permanent XSS attack.
For this, we will choose "XSS stored" in the menu on the right. A nice form with two fields is displayed. Normally detection of the presence of XSS can be done by entering a javascript code in a form field or a URL.
So we type the following line in the message of our form field:
<script>alert('Depotekk.com')</script>
If a dialog box appears, it can be concluded that the Web application is vulnerable to XSS attacks. This script will run every time you visit this page.
It now remains that you operate with this flaw more useful JavaScript code and you do not have the time to code a JavaScript script, use BeEF a XSS Operating Framework.
You should know that in the easy level, security is completely absent in the application.
Upload attack on DVWA
In this part, we will move to exploit the flaw upload (easy level). To do this, click on "Upload" in the right menu.
The upload flaw is a loophole to upload files with unauthorized extension (eg php code).
To exploit it, we will try to Uploader PHP Web Shell (like R57 or C99) on the server that will give us control of the server.
To do this, click Browse, select and confirm your shell PHP
The file is with uplodé sucked. You have kept running the shell found in: http: // localhost / dvwa / hackable / uploads /.
You can have fun with other local type of flaw in the different levels. Train well and test your skills in hacking legally. This gives you the opportunity to show what you can do. 😉
And if you're stuck in a test, do not hesitate to inform us in a comment. :)
Remember that the best support for this blog is to like and share our articles! 😉
I founded the Blog DepoTech in January 2015. Self-taught in development, I have always pushed my curiosity about the topics,Web and Tech news.
ConversionConversion EmoticonEmoticon