Damn Vulnerable Web App (DVWA) has released an updated version (v1.04) of their PHP/mySQL web application that is intended to be attacked. It’s intended to be run on a local (closed) network as a learning tool for exploits and vulnerabilities. As it sits now, it pretty much contains a lot of the basics – brute force, command execution, file inclusion, SQL injection, and XSS.

DVWA Home Screen

The app does provide some help and tips for accessing some of the basics of each type of attack. It also lets you view the source code as the attacks take place (useful for debugging your XSS and SQL injection attacks). It also gives you three different levels of security for the site. This can show you as well how to prevent these attacks.

DVWA Security Settings

DVWA Source View

It’s a great tool if you’re just getting started and need the basics to get the ball rolling. But if you’re experienced at all, you may find this a little boring. It would be nice to see some advanced stuff, but if you’re at that level, you probably don’t need to be playing with apps like these. You’re probably already writing your own.

You can find the latest development files here SVN or grab the latest release version here ZIP.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Tags: education, hacking, web hacks

This entry was posted on Thursday, July 23rd, 2009 at 4:00 am by Tim Donaworth and is filed under Technology & Tool Thursday, hacking, software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.