Web developers build web applications, keeping in mind that each one the safety measures involved in doing so. Any loopholes found in applications might allow attackers to take advantage of them, leading to remote code execution, database extraction, and sometimes even the entire takeover of servers that host them. So to ensure that web applications are properly built and free from vulnerabilities that could lead to any type of attack. 

Web Application Threats

Here I have listed some of the web application threats

  1. Cookie Poisoning
  2. Information Leakage
  3. Insecure Storage
  4. Improper Error Handling
  5. Parameter Tampering
  6. Broken Access Control
  7. Broken Session Management.
  8. SQL Injection
  9. Denial of Service
  10. Buffer overflow
  11. Security Misconfiguration
  12. Cross Site Scripting
  13. Cross Site Request Forgery
  14. Unvalidated input
  15. Directory Traversal
  16. Log Tampering
  17. Injection Flaws

In the next article I will provide you web application countermeasures.

Moving to the topic, DVWA helps web developers in understanding security of web applications.

Requirements:

1. To Install DVWA we need Operating System Kali Linux (Recommended), and if your host is Kali Linux is fine.

2. If not Download your virtual machine management software of choice. I recommend VMware or Virtual Box.

3. Mysql database.

4. Web Server


How to Install DVWA in Kali Linux.

Know more about DVWA

Open terminal in kali linux switch to directory cd /var/www/html

To run a web application all the files related to the web that should be in the above path.


Now type: >get clone https://github.com/ethicalhack3r/DVMA.git

The files are loaded. If you are not sure check by typing ¨ls¨ it will give you a list of folders.

In that directory u find DVWA. give all the permissions to to DVWA folder

 Command :>chmod -R 777 DVMa
 Now switch to >cd DVWA/config

Edit this file config.inc.php.dist file

Command: >nano config.inc.php.dist

In the content you find user and password: change it as user as user and password as pass.


Configure Database:

Start the database

Command: service mysql start

>mysql -u root -p 

Create a new user

>create user ´user´@´127.0.0.1´ identified by ´password/pass´

Grant all the privilege permissions to user

>grant all privileges on dvwa.* to ´user´@127.0.0.1´ identified by ´password/pass´

Configuration of database has been completed.

Now this is the final step

Configuration of Server

Start the server

>service apache2 start

Change the path to

 >cd /etc/php/version(whichever you are using)/apache2
>ls
>gedit php.ini

Edit this file

In the content search for allow_url_fopen- On and allow_url_include - On

Start the service and open browser type: 127.0.0.1/DVWA/login.php

You find, change/reset the database, click on it and enter the user as admin and password as password.

Now you can access the vulnerabilities like brute force CRSF command execution and many more.

 Happy Learning.