Web Security Lab Part 1: Setting up DWVA - Hsanokklis/2022-2023-Tech-journal GitHub Wiki

Summary: Using a tool called Damn Vulnerable Web Application(DVWA) to get experience with software vulnerabilities including: command execution, SQL Injection, and Cross-Site Scripting.

Lab Link

Doc Link

Part 1: setup

  1. Take a snapshot of your windows VM as a backup

image

image

  1. Disable Internet Information Services(IIS) from last week's lab

Go to "turn windows features on or off"

image

3. Download save and install XAMPP

  • using version 8.2.0 since its the latest one
  • Doing setup with all default options

image

  • save to the C drive on the xampp folder

image

  • Allow access(this screen means that the IIS has been disable and the program will actually work)

image

  • Start Apache and MySQL(these are the 2 programs we are interested in for DVWA, we know they are running because they are both showing green

image

  • We can test apache by going to our browser and then typing in localhost. This is the webpage that should come up

image

  1. Download a copy of DVWA from https://github.com/digininja/DVWA (as a zip file)

code ---> zipfile

image

  • extract all files from the DVWA-master zip file

image

  • rename the folder to just DWVA

image

  1. Copy the DVWA folder into htdocs in the xampp folder

Local Disk(C) --> xampp --> htdocs

image

  • to test that you have done this right go to your browser and type in localhost/DVWA and you should get an error(which means its correct

image

  1. Go to DVWA --> config --> rename config.inc.php.dist to config.inc

image

  • file should look like this

image

  1. Go to admin for MySQL

image

  • should open this site

image

  1. create a dvwa database

This is the list of databases

image

  • creating the database

image

  1. Add the user
  • go to privileges ---> add user account

image

  1. Add in user specifications
  • They have to match what it says in the config.inc.php file(which you can open with notepad)

image

image

  1. Grant all privileges on database dvwa

image

  1. Click go to make your new user and make sure you get the popup

image

  1. Go to the DVWA setup page

image

  1. Click the create database button

image

  • _ if things go right you should get these popups_

image

  1. Fix allow_url_include, missing gd and reCAPTCHA key

image

image

  1. Edit the php.ini file
  • Go back to the control panel --> Apache --> config --> php.ini

image

  1. turn on allow_url_include

image

  • edit the file to turn it on

image

  1. enable gd

image

  • to enable it remove the semi colon so that it is no longer a comment

image

  1. Save the file and stop/start apache

image

  1. Input the reCAPTCHA key(in the lab instructions)

image

  1. Change default secuirty level to low

image

image

Fully setup DVWA

image