One. DVWA Introduction
DVWA (Damn Vulnerable Web Application) is used for security vulnerabilities identified in PHP / MySQL Web application, designed to test their professional skills and tools for safety professionals to provide legal environment to help web developers better understand the web application security process. DVWA total of ten modules, namely:
Brute Force (violence (crack))
the Command Injection (command injection)
CSRF (cross-site request forgery)
File in the Inclusion (file containing)
File the Upload (file upload)
Insecure CAPTCHA (unsafe verification code)
the SQL injection (the SQL injection)
the SQL injection (blind) (the SQL blind)
XSS (reflected) (reflective XSS)
XSS (the stored) (storage-type XSS)
Note that, DVWA 1.9 code division into four security levels:
Low, Medium, High, Impossible.
We can compare four levels of code access to some content PHP code audit.
To build two .DVWA
1. Download phpStudy
http://phpstudy.php.cn/
phpStudy is the integration of Apache and MySql integrated environment, download a good installation phpStudy,
if displayed a lack of VC runtime running
32-bit VC9: http: //www.microsoft.com/zh -CN / download / Details.aspx the above mentioned id = 5582?
64-bit VC9: http:? //www.microsoft.com/zh-CN/download/details.aspx id = 15336
after installing 127.0.0.1 see if you can run screen appears
download DVWA http://www.dvwa.co.uk/
download, unzip, put under the WWW directory phpStudy
2. Configure it is best to first of all relevant documents about the configuration of the database password phpStudy
After DVWA modification under / confing of config.inc.php.dist modify the
config.inc.php, find one of the original db_password instead just set
3. Modify successfully access 127.0.0.1/DVWA
Well if not then create problems will automatically jump to the login screen
username / password: admin / password
List of vulnerabilities on a three .DVWA
DVMA as his name suggests is an application that contains a lot of vulnerabilities. DVWA vulnerabilities including OWASP oepen web application security project of the web 10 big loophole. DVWA which specifically includes the following vulnerabilities:
1. brute vulnerability testing position into the vulnerability by brute force login page. This vulnerability is used to test tools and brute force show unsafe weak passwords.
2. Command Execution Vulnerability execute commands on the system at risk.
3.CSRF cross-site request forgery vulnerability allows an attacker to modify the application of the administrator password.
4.SQL injection, DVWA including blinds and error type spiked with two types of SQL injection vulnerabilities.
5. unsafe file upload vulnerability that allows an attacker to upload malicious files to a web server
6.XSS cross-site scripting vulnerability allows an attacker to inject their own script to a web server. DVWA system which includes a reflective memory type and XSS XSS two types.
7. The file contains loopholes that allow local and remote file containing the execution file containing the execution
8. codes bypassed
