Web developers build web applications, keeping in mind that each one the safety measures involved in doing so. Any loopholes found in applications might allow attackers to take advantage of them, leading to remote code execution, database extraction, and sometimes even the entire takeover of servers that host them. So to ensure that web applications are properly built and free from vulnerabilities that could lead to any type of attack.
Web Application Threats
Here I have listed some of the web application threats
- Cookie Poisoning
- Information Leakage
- Insecure Storage
- Improper Error Handling
- Parameter Tampering
- Broken Access Control
- Broken Session Management.
- SQL Injection
- Denial of Service
- Buffer overflow
- Security Misconfiguration
- Cross Site Scripting
- Cross Site Request Forgery
- Unvalidated input
- Directory Traversal
- Log Tampering
- Injection Flaws
In the next article I will provide you web application countermeasures.
Moving to the topic, DVWA helps web developers in understanding security of web applications.
1. To Install DVWA we need Operating System Kali Linux (Recommended), and if your host is Kali Linux is fine.
2. If not Download your virtual machine management software of choice. I recommend VMware or Virtual Box.
3. Mysql database.
4. Web Server
How to Install DVWA in Kali Linux.
Know more about DVWA
Open terminal in kali linux switch to directory cd /var/www/html
To run a web application all the files related to the web that should be in the above path.
Now type: >get clone https://github.com/ethicalhack3r/DVMA.git
The files are loaded. If you are not sure check by typing ¨ls¨ it will give you a list of folders.
In that directory u find DVWA. give all the permissions to to DVWA folder
Command :>chmod -R 777 DVMa Now switch to >cd DVWA/config
Edit this file config.inc.php.dist file
Command: >nano config.inc.php.dist
In the content you find user and password: change it as user as user and password as pass.
Start the database
Command: service mysql start
mysql -u root -p
Create a new user
>create user ´user´@´127.0.0.1´ identified by ´password/pass´
Grant all the privilege permissions to user
>grant all privileges on dvwa.* to ´user´@127.0.0.1´ identified by ´password/pass´
Configuration of database has been completed.
Now this is the final step
Configuration of Server
Start the server
service apache2 start
Change the path to
cd /etc/php/version(whichever you are using)/apache2 ls >gedit php.ini
Edit this file
In the content search for allow_url_fopen- On and allow_url_include - On
Start the service and open browser type: 127.0.0.1/DVWA/login.php
You find, change/reset the database, click on it and enter the user as admin and password as password.
Now you can access the vulnerabilities like brute force CRSF command execution and many more.