Damn Vulnerable Web Application (DVWA)
Official Documentation
Revision
Published
1.3
27.10.2010
Damn Vulnerable Web Application (DVWA) – Page 1
Introduction
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is
damn vulnerable. Its main goals are to be an aid for security professionals to test
their skills and tools in a legal environment, help web developers better understand
the processes of securing web applications and aid teachers/students to teach/learn
web application security in a class room environment.
Damn Vulnerable Web Application (DVWA) is a RandomStorm OpenSource project.
For further details about the services and products RandomStorm offer please visit;
http://www.randomstorm.com.
The DVWA project started in December 2008 and has steadily grown in popularity. It
is now used by thousands of security professionals, students and teachers world
wide. DVWA is now included in popular penetration testing Linux distributions such
as Samurai Web Testing Framework and many others.
License
This file is part of Damn Vulnerable Web Application (DVWA).
Damn Vulnerable Web Application (DVWA) is free software: you can redistribute it
and/or modify it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or (at your option) any
later version.
Damn Vulnerable Web App (DVWA) is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License along with
Damn Vulnerable Web App (DVWA). If not, see http://www.gnu.org/licenses/.
Damn Vulnerable Web Application (DVWA) – Page 3
Warning
Damn Vulnerable Web App is damn vulnerable! Do not upload it to your hosting
provider's public html folder or any working web server as it will be compromised. We
recommend downloading and installing XAMPP onto a local machine inside your
LAN which is used solely for testing.
We do not take responsibility for the way in which any one uses Damn Vulnerable
Web App (DVWA). We have made the purposes of the application clear and it should
not be used maliciously. We have given warnings and taken measures to prevent
users from installing DVWA on to live web servers. If your web server is
compromised via an installation of DVWA it is not our responsibility it is the
responsibility of the person/s that uploaded and installed it.
Installation
DVWA is a web application coded in PHP that uses a MySQL back-end database.
DVWA needs a web server, PHP and MySQL installed in order to run. The easiest
way to install DVWA is to download and install 'XAMPP' if you do not already have a
web server setup.
XAMPP is a very easy to install Apache Distribution for Linux, Solaris, Windows and
Mac OS X. The package includes the Apache web server, MySQL, PHP, Perl, a FTP
server and phpMyAdmin.
XAMPP can be downloaded from:
http://www.apachefriends.org/en/xampp.html
DVWA default username = admin
DVWA default password = password
Damn Vulnerable Web Application (DVWA) – Page 4
Windows
Once you have downloaded and installed XAMPP place the uncompressed DVWA
folder in your Apache htdocs folder. Normally located at ʻC:\XAMPP\htdocsʼ. DVWA
should now be accessible from your browser at http://127.0.0.1/dvwa.
Linux
Once you have downloaded and installed XAMPP place the uncompressed DVWA
folder in your Apache htdocs folder. Normally located at ʻ/opt/lampp/htdocsʼ. Start
Apache with the following command; ʻsudo /opt/lampp/lamp startʼ. DVWA should now
be accessible from your browser at http://127.0.0.1/dvwa.
Vulnerabilities
DVWA as the name suggests is vulnerable to the most common types of web
application vulnerabilities. DVWA incorporates most of the Open Web Application
Security Project's (OWASP) top 10 web application security risks for 2010 as
reported in the OWASP TOP 10 document. http://owasptop10.googlecode.com/files/
OWASP%20Top%2010%20-%202010.pdf
The OWASP Top 10 Web Application Security Risks for 2010 are:
•
A1: Injection
•
A2: Cross-Site Scripting (XSS)
•
A3: Broken Authentication and Session Management
•
A4: Insecure Direct Object References
•
A5: Cross-Site Request Forgery (CSRF)
•
A6: Security Misconfiguration
•
A7: Insecure Cryptographic Storage
•
A8: Failure to Restrict URL Access
•
A9: Insufficient Transport Layer Protection
•
A10: Unvalidated Redirects and Forwards
Damn Vulnerable Web Application (DVWA) – Page 5
