Skip to content
/ Metasploitable2-DVWA-Project Public

Damn Vulnerable Web Application (DVWA) Pentesting Report – A detailed security assessment of DVWA covering vulnerability identification, exploitation techniques, and remediation strategies. Includes practical demonstrations of web security flaws such as SQL Injection, XSS, CSRF, Command Injection, and more, along with mitigation recommendations.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

aniket8757/Metasploitable2-DVWA-Project

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
DVWA.pdf
DVWA.pdf
 
 
README.md
README.md
 
 

Repository files navigation

Metasploitable2-DVWA-Project

Damn Vulnerable Web Application (DVWA) Pentesting Report – A detailed security assessment of DVWA covering vulnerability identification, exploitation techniques, and remediation strategies. Includes practical demonstrations of web security flaws such as SQL Injection, XSS, CSRF, Command Injection, and more, along with mitigation recommendations.

DVWA (Damn Vulnerable Web Application) – Complete Guide

Table of Contents

  1. Introduction
  2. Installation & Setup
  3. Security Levels in DVWA
  4. Modules & Vulnerabilities
  5. Best Practices for Testing
  6. Mitigation Techniques
  7. References

Introduction

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application designed for security professionals to test their skills and tools in a legal environment. It contains several security flaws to practice penetration testing techniques.

Installation & Setup

  1. Download DVWA from the official GitHub repository.
  2. Place it in your web server directory (e.g., htdocs for XAMPP).
  3. Configure config.inc.php with your database credentials.
  4. Import the dvwa.sql database.
  5. Start Apache and MySQL.
  6. Access DVWA via http://localhost/dvwa.

Security Levels in DVWA

DVWA has three security levels:

  • Low – Minimal protection, easy to exploit.
  • Medium – Basic security features enabled.
  • High – Advanced protection and sanitization.

Modules & Vulnerabilities

SQL Injection

  • Goal: Test ability to exploit and extract database information.
  • Example Payload: ' OR '1'='1 --
  • Mitigation: Use prepared statements and parameterized queries.

XSS (Cross-Site Scripting)

  • Goal: Inject malicious JavaScript into a web page.
  • Example Payload: <script>alert('XSS')</script>
  • Mitigation: Input validation and output encoding.

CSRF (Cross-Site Request Forgery)

  • Goal: Trick authenticated users into performing unwanted actions.
  • Mitigation: Use CSRF tokens in forms.

Command Injection

  • Goal: Execute OS commands via unsanitized user input.
  • Example Payload: ; ls
  • Mitigation: Validate and sanitize user inputs.

File Inclusion

  • Goal: Include unauthorized files on the server.
  • Types: Local File Inclusion (LFI), Remote File Inclusion (RFI)
  • Mitigation: Use whitelists for file paths.

Brute Force

  • Goal: Guess valid login credentials by repeated attempts.
  • Mitigation: Rate limiting, account lockouts, strong password policies.

Best Practices for Testing

  • Always test in a controlled, isolated environment.
  • Document each vulnerability found.
  • Use tools like Burp Suite, OWASP ZAP, and SQLMap for automation.

Mitigation Techniques

  • Validate and sanitize all inputs.
  • Apply the principle of least privilege.
  • Keep software up to date.
  • Implement secure coding practices.

References

About

Damn Vulnerable Web Application (DVWA) Pentesting Report – A detailed security assessment of DVWA covering vulnerability identification, exploitation techniques, and remediation strategies. Includes practical demonstrations of web security flaws such as SQL Injection, XSS, CSRF, Command Injection, and more, along with mitigation recommendations.

Topics

xss penetration-testing sql-injection csrf web-security vulnerability-assessment dvwa ethical-hacking metasploitable-2

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published