Damn Vulnerable Web App (DVWA) has released an updated version (v1.04) of their PHP/mySQL web application that is intended to be attacked. It’s intended to be run on a local (closed) network as a learning tool for exploits and vulnerabilities. As it sits now, it pretty much contains a lot of the basics – brute force, command execution, file inclusion, SQL injection, and XSS.
The app does provide some help and tips for accessing some of the basics of each type of attack. It also lets you view the source code as the attacks take place (useful for debugging your XSS and SQL injection attacks). It also gives you three different levels of security for the site. This can show you as well how to prevent these attacks.
It’s a great tool if you’re just getting started and need the basics to get the ball rolling. But if you’re experienced at all, you may find this a little boring. It would be nice to see some advanced stuff, but if you’re at that level, you probably don’t need to be playing with apps like these. You’re probably already writing your own.
Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!