[WEB SECURITY] Damn Vulnerable Web App

MustLive mustlive at websecurity.com.ua
Wed May 27 14:30:45 EDT 2009

Hello Ryan!

> Damn Vulnerable Web App

I liked the name of your project - Damn Vulnerable Web App :-).

There is some sense in such application to give people some instrument to
test their skills and/or tools. I even will write about it at my site ;-).
But man, there are other instruments for testing hacking skills in Internet
(your one is interesting addition to existed tools). Like moth
or web sites which are designed to check people's security skills on them -
RSnake wrote a list of such sites

But I think that such custom made web apps (like DVWA) which are designed
for hacking them is not suit enough for real professionals (possibly only
for students and for beginners in webappsec field). Because they are far
from real-life environment. And real professionals and those beginners who
want to became professional in this field, must get experience and improve
their skills in real-life environment. So for this purpose their own web
sites (web apps) can be used (which they created themselves or used some
engine) and after that real web sites (web apps) of their clients can be
used (for additional improve of their skills).

And don't forget about millions of vulnerable sites in Internet which
everyone can test in legal (or semi-legal) environment. Bad guys will hack
them in any case. So you can hack them first to inform admins about
vulnerabilities on their web sites, to improve their security (I called it
kind hack).

> And much more…

There must be more (because there are a lot of different vulnerabilities).

> Damn Vulnerable Web App is damn vulnerable! Do not upload it to your
> hosting provider’s public html folder or any working web server as it
> will be hacked.

Don't forget to write this warning in the documentation, readme and even in
source files of the DVWA ;-). To make sure that everyone who will download
it will read the warning before using it.

Best wishes & regards,
Administrator of Websecurity web site

From: Ryan Dewhurst <ryandewhurst at xxxxxxxxx>
Subject: [WEB SECURITY] Damn Vulnerable Web App
Date: Wed, 27 May 2009 17:36:01 +0100

> Damn Vulnerable Web App
> Damn Vulnerable Web App (DVWA) is a web application that is damn
> vulnerable. Its main goals are to be light weight, easy to use and
> full of vulnerabilities to exploit. It has been developed for the use
> of information security professionals and students to test out their
> skillz and/or toolz in a legal environment.
> Vulnerability’s:
> SQL Injection
> XSS (Cross Site Scripting)
> LFI (Local File Inclusion)
> RFI (Remote File Inclusion)
> Command Execution
> Upload Script
> Login Brute Force
> And much more…
> Damn Vulnerable Web App is damn vulnerable! Do not upload it to your
> hosting provider’s public html folder or any working web server as it
> will be hacked. I recommend downloading and installing XAMPP onto a
> local machine inside your LAN which is used solely for testing.
> I do not take responsibility for the way in which any one uses this
> application. I have made the purposes of the application clear and it
> should not be used maliciously.
> Current version: 1.0.3 Released: 25/05/2009
> Download from SourceForge:
> http://sourceforge.net/projects/dvwa 

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list