Damn Vulnerable Web App (DVWA) is an intentionally vulnerable PHP/MySQL web application for penetration testers to use to learn and practice exploiting many types of common web vulnerabilities.
DVWA code is available from http://www.dvwa.co.uk however, there is a preloaded Linux server available from vulnhub.com. The quickest way to get started is to download the .iso file and boot the distro in VMWare or VirtualBox.
SETTING UP DVWA
Once the .iso is booted you will be presented with a shell. To find out what IP address has been assigned to the machine via DHCP run the ifconfig command.
dvwa@dvwa:~$ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:0c:29:0c:8b:03 inet addr:192.168.218.136 Bcast:192.168.218.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe0c:8b03/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:24577 errors:0 dropped:0 overruns:0 frame:0 TX packets:14180 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29040387 (27.6 MiB) TX bytes:1359164 (1.2 MiB)
Now that we know the IP address browse the web interface:
Click ‘Create / Reset Database‘
Next, Click ‘DVWA Security‘ and logon with the default credentials:
Set the security level to low. This is the easiest setting and probably a good place to start if you are a beginner.
INSTALLING BURP SUITE
For the rest of this walkthrough we will use Burp Suite to assist in finding and exploiting vulnerabilities. Burp Suite comes in free and paid versions. the fee version is fine for our purposes.
Once Burp is installed we want to configure our browser proxy settings to point to Burp. By Default Burp is configured to listen on 127.0.0.1:8080.
In Firefox the proxy settings can be found at: Settings > Advanced > Network > Settings.
Open your browser and browse to the DVWA IP address. If Burp is configured properly you should see the HTTP request within the Proxy > Intercept tab.