If youβre a beginner in web app penetration testing, youβll have heard of Damn Vulnerable Web Application (DVWA). However, because of the overwhelming number of tutorials online, you might not know where to begin, and the crass name may even have deterred you from exploring all it offers.
So, why does everyone say itβs an important learning tool for aspiring pentesters? Donβt worry. Weβve got you covered.
In this tutorial, weβll give you a proper introduction to DVWA and how it works, the DVWA download and setup process, the DVWA login, and a mini-exercise on how to operate DVWA for a simple exploit you can do safely from home.
Without further ado, letβs dive in.
What Is Damn Vulnerable Web Application?
Damn Vulnerable Web Application (DVWA) is a pedagogical tool and recipient of attacks. Itβs a PHP/MySQL web application intentionally designed to be vulnerable.
DVWA aims to allow penetration testers, web developers, and security professionals to test their skills and tools in a controlled environment and learn about securing web applications practically, safely, and legally.
Itβs a practice ground for the most common web vulnerabilities, ranging from easy to hard, all within a simple, straightforward interface. Users can work through each vulnerability at a fixed difficulty level or challenge themselves to exploit each vulnerability fully before moving on to the next one.
DVWAβs initial copyright holders were Ryan Dewhurst and RandomStorm, a UK security company. Since then, the project has accumulated numerous contributors, including its current owner, Robin Wood.
Andrew Mason, RandomStormβs founder, published a paper explaining Dewhurstβs motivation behind developing DVWA: to βprovide a way of teaching application developers about the common programming mistakes that allow malicious code to be inserted into strings, making the application unsafe for users.β In fact, including vulnerabilities is so deliberate that DVWA has no CVE.
You can use DVWA to explore and exploit embedded web vulnerabilities, maximizing your hands-on practice in your pentesting skills.
Letβs explore some of the reasons behind DVWAβs popularity.
DVWA is Free and Local
The DVWA download is available free of charge to everyone under the terms of the GNU General Public License. Itβs perfect as a self-contained long-term pentesting lab, and itβs open-source so that you can add, subtract, and customize its vulnerabilities.
For it to work, you only have to install DVWA on your personal Kali Linux virtual machine or in a Docker container.
DVWA is Safe in Isolation
DVWA works offline. You can cut off Wi-Fi access, and DVWA will still work. If you set it up correctly on your Kali Linux virtual machine or in Docker and confine your pentesting to your selected location, you risk no damage to the host machine.
The DVWA docs warn against installing it on public-facing web servers, whether or not you own them, owing to the immense danger it poses once a third-party attacker discovers it.
In addition, if anything goes wrong in your attacks, you can scrap and reinstall the Kali Linux image or rebuild the Docker container and try again.
DVWA Covers Many Attacks
DVWA contains so many vulnerabilities that security researchers have not exhausted them yet.
Known DVWA vulnerabilities include:
- Brute-force
- Command injection
- Cross-Site Request Forgery (CSRF)
- File inclusion
- File upload
- Insecure CAPTCHA
- SQL injection
- Blind SQL injection
- Weak session IDs
- Cross-Site Scripting (XSS): DOM, Reflected, and Stored
- Content Security Policy (CSP) Bypass
- JavaScript
- Open HTTP redirect
Tools for exploiting DVWA vulnerabilities include:
Many of them come either pre-installed with Kali Linux or as separate downloads. You can find more Kali Linux hacking tools here.
Setting up Damn Vulnerable Web Application
We have two primary ways to set up DVWA: Kali Linux and Docker. Although Kali Linux has many built-in tools for exploiting vulnerabilities, it doesnβt come pre-installed with DVWA.
DVWA Download for Kali Linux
In the past, the setup involved Apache and MySQL, but now the default command is sudo apt install dvwa
followed by dvwa-start
.
Should sudo apt install dvwa
not work on the first try, follow these detailed instructions to install DVWA from the source. The screenshot below demonstrates the procedure outlined under βManually Running the Script.β
The installation is a success when the final terminal output is:
DVWA has been installed successfully. Access http://localhost/DVWA to get started.
Credentials:
Username: admin
Password: password
With β‘ by IamCarron
(IamCarron
is a DVWA contributor.)
DVWA Download for Docker
Those who donβt use Kali Linux or want a different method to access DVWA can run it in a Docker container as follows. Successful Docker installation requires an up-to-date operating system (OS), so you must perform operations analogous to the initial commandsβoutlined belowβthat apply to Linux.
For example, you may replace that command with updating your OS with an installer. Instead of running terminal commands to launch Docker, youβll open the Docker Desktop app that applies to your OS.
# These commands apply to Linux
sudo apt update
sudo apt install -y docker.io
sudo systemctl enable docker --now
# These commands will work on most OSβs
sudo docker search web-dvwa
sudo docker pull vulnerables/web-dvwa
sudo docker run docker.io/vulnerables/web-dvwa:latest
The screenshots below demonstrate the Docker installation process on Kali Linux.
Weβll continue with this DVWA Docker walkthrough in the next section.
DVWA Login and Getting Started
Logging in to DVWA is straightforward for Kali Linux users. However, it involves an extra step for Docker users. Letβs explore both approaches below.
DVWA Kali Linux
For Kali Linux users, run dvwa-start
from the Kali Linux terminal. When prompted, enter the Kali Linux password (kali
). A Firefox browser window will display the DVWA interface without prompting for any more login credentials.
Hereβs an overview of the DVWA interface.
Notice the menu options on the left sidebar. They correspond to the list of known DVWA vulnerabilities in the DVWA Lessons/Challenges section below.
DVWA Docker
Docker users must navigate to the URL specified in their terminalβs verbose output (highlighted below) after executing sudo docker run docker.io/vulnerables/web-dvwa:latest
.
The DVWA login page appears below. Enter the default DVWA credentials admin/password.
After logging in, youβll see the DVWA βsetup.phpβ page. Click on the βCreate/Reset Databaseβ button to return to the DVWA interface weβve seen above.
DVWA Settings
Access the menu item βDVWA Securityβ from the left sidebar, near the bottom.
DVWA offers four options to set your desired pentesting difficulty level: Low, Medium, High, and an additional one called Impossible. These four options determine how vulnerable DVWA is to your attacks.
- Low: This is the default setting for the Docker installation. This security level is completely vulnerable and has no security measures at all. It serves as an example of how web application vulnerabilities manifest through bad coding practices and serves as a platform to teach or learn basic exploitation techniques.
- Medium: This setting mainly demonstrates bad security practices by showing how the developer has tried but failed to secure an application. It also challenges users to refine their exploitation techniques.
- High: This option is an extension of the Medium level, and the developers have implemented a mixture of more difficult or alternative bad practices meant to secure the code. The vulnerabilities at this level put an upper limit on your exploitation, similar to how youβd handle various Capture The Flags (CTFs) competitions.
- Impossible: This is the default setting for the Kali Linux installation. You should compare the vulnerable source code to the developersβ relatively secure source code.
Although the developers claim that the Impossible level should be secure against all vulnerabilitiesβas shown in the screenshot below of the βDVWA Securityβ pageβif youβve spent any time in cyber security, youβll know absolute cyber security doesnβt exist due to undocumented vulnerabilities and zero-day attacks.
Cyber security can only be relative.
DVWA Lessons/Challenges
After choosing your preferred pentesting difficulty level, you can explore the menu items on the left sidebar. These are attacks on known DVWA vulnerabilities.
Pentesters call them βlessons/challengesβ because of the contents of two buttons on the bottom right: βView Sourceβ and βView Help.β
With βView Source,β you can analyze the PHP source code of each lesson/challenge page to determine your attack strategy.
βView Helpβ explains your attack, why youβre hacking the page, and what to expect when changing the pentesting difficulty level. If you highlight the text blanked out by the spoilers, youβll get hints on how to crack that level.
The next section will show you a concrete example of what we mean and will examine how DVWA works when you attempt to exploit its vulnerabilities.
DVWA in Practice
In the following example, weβre performing an easy SQL injection. Youβll realize how simple and powerful DVWA is as a pedagogical aid and a practical pentesting exercise.
The screenshots below apply to the Low difficulty setting, and thanks to the setup.php page, we know DVWA has a MySQL backend.
The page contains a βUser IDβ text and a βSubmitβ button. Upon clicking βView Help,β located at the bottom right corner of the page, we get the following pop-up window:
The βAboutβ section briefly explains a SQL injection attack (SQLi) and how it affects a database. Itβs an introduction to SQLi if youβre new to pentesting and a well-written and incredibly useful refresher for seasoned professionals.
The βObjectiveβ section spells out what youβll do on this page:
βThere are 5 users in the database, with id's from 1 to 5. Your mission... to steal their passwords via SQLi.β
Youβre hacking this page so that it leaks database login credentials. Many real-world cyber attacks involve credential harvesting.
The four levels have differences in the PHP source code of the page shown below.
First, we know from the Objective that the database contains five users with numerical IDs. Performing ordinary SQL queries on these user IDs gives us their first names and surnames.
Since the difficulty level is low, we read the corresponding description in βView Help,β which tells us this page takes raw SQL input, which the attacker can control directly. βAll they need to do is escape the queryβ is the hint to solving this easy challenge.
Looking at the red text output and checking the source code from βView Source,β we find that the underlying SQL query statement is:
SELECT first_name, last_name FROM users WHERE user_id = '$id'
Moreover, it expects the SQL query to return two outputs, namely $first
and $last
.
Letβs manipulate the text form input denoted by $id
and explore ways to escape it to get the passwords.
Extract data on all the five users in the database with the input %' or '0'='0
, which yields the following unsanitized SQL query where %
is a wildcard character, '0'='0'
is a tautology, and the opening and closing straight apostrophes '
match in the underlying PHP code, so that it becomes:
SELECT first_name, last_name FROM users WHERE user_id = '%' or '0'='0';
If a simple tautology can escape the query, so can any SQL keyword from the user. In particular, the UNION
keyword in SQL combined with a suitable SELECT
query will expose the underlying database. We call this approach a βSQL injection UNION attack.β
The MySQL documentation reveals that a table called information_schema
stores information about the database containing the users
table. This table gives us a clue as to where to find the passwords. We also want to ensure we assign values to the two variables $first
and $last
by returning two columns, not one.
We assign to $id
the text input of %' UNION SELECT table_name,column_name FROM information_schema.columns #
, where #
marks the beginning of a comment (';
). Thus, the SQL query becomes:
SELECT first_name, last_name FROM users WHERE user_id = '%' UNION SELECT table_name,column_name FROM information_schema.columns #';
Your penultimate strike is to capture the passwords while returning two data columns. Here, we choose the text input of %' UNION SELECT user, password FROM users #
into our vulnerable page.
SELECT first_name, last_name FROM users WHERE user_id = '%' UNION SELECT user, password FROM users #';
Weβve found password hashes instead of plain-text passwords. The final part of this challenge is cracking them, which is outside the scope of this introductory DVWA guide.
Conclusion
This straightforward DVWA tutorial will help you get started and wield it confidently.
Anyone interested in penetration testing of web applications would benefit from constant practice exploiting DVWA. Despite its mildly offensive full name, itβs a fantastic teaching and learning tool for pentesters at any stage in their career.
Donβt forget to check out our StationX Membership to access a wide range of penetration testing, web application security, and related courses. If you intend to pursue a career in these fields, we have handpicked a selection of courses for you below, and we wish you success.