DVWA Walkthrough Part 1: Setup

68747470733a2f2f7777772e72616e646f6d73746f726d2e636f6d2f696d616765732f746f6f6c732f647677612e706e67

Damn Vulnerable Web App (DVWA) is an intentionally vulnerable PHP/MySQL web application for penetration testers to use to learn and practice exploiting many types of common web vulnerabilities.

GETTING DVWA

DVWA code is available from http://www.dvwa.co.uk however, there is a preloaded Linux server available from vulnhub.com. The quickest way to get started is to download the .iso file and boot the distro in VMWare or VirtualBox.

SETTING UP DVWA 

Once the .iso is booted you will be presented with a shell. To find out what IP address has been assigned to the machine via DHCP run the ifconfig command.

dvwa@dvwa:~$ ifconfig eth0

eth0      Link encap:Ethernet  HWaddr 00:0c:29:0c:8b:03  
          inet addr:192.168.218.136  Bcast:192.168.218.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe0c:8b03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24577 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29040387 (27.6 MiB)  TX bytes:1359164 (1.2 MiB)



Now that we know the IP address browse the web interface:

http://<ip address>/setup.php

Click ‘Create / Reset Database

image

Next, Click ‘DVWA Security‘ and logon with the default credentials:

username: admin
password: password

Set the security level to low. This is the easiest setting and probably a good place to start if you are a beginner.

image

INSTALLING BURP SUITE

For the rest of this walkthrough we will use Burp Suite to assist in finding and exploiting vulnerabilities. Burp Suite comes in free and paid versions. the fee version is fine for our purposes.

http://portswigger.net/burp/download.html

Once Burp is installed we want to configure our browser proxy settings to point to Burp. By Default Burp is configured to listen on 127.0.0.1:8080.

In Firefox the proxy settings can be found at: Settings > Advanced > Network > Settings.

image

Open your browser and browse to the DVWA IP address. If Burp is configured properly you should see the HTTP request within the Proxy > Intercept tab.

image

Leave a Reply

Your email address will not be published. Required fields are marked *