This repository contains comprehensive documentation for setting up and testing various web application vulnerabilities using DVWA (Damn Vulnerable Web Application) in a controlled lab environment.
This documentation is for educational and authorized security testing purposes only.
- All credentials, IP addresses, and configurations are for isolated lab environments
- Do NOT use these techniques against systems you don't own or have explicit permission to test
- Credentials shown are examples for local testing only and should be changed in any real deployment
- SSH keys and session tokens have been redacted where appropriate
- WSL2 + Kali Linux installation
- Apache, MariaDB, and PHP configuration
- DVWA installation and database setup
- SSH key-based authentication setup
- Network configuration (port forwarding, firewall rules)
- Command Injection - OS command execution via web input
- File Upload Vulnerabilities - Malicious file upload and web shell deployment
- SQL Injection (SQLi) - Database enumeration and exploitation
- Cross-Site Scripting (XSS) - Reflected, Stored, and DOM-based XSS
- Cross-Site Request Forgery (CSRF) - Various CSRF attack vectors
- Local File Inclusion (LFI) - Log poisoning, SSH key extraction
- Remote File Inclusion (RFI) - Remote code execution
- Brute Force Attacks - Password cracking with Hydra and Burp Suite
- Kali Linux
- Burp Suite
- netcat
- curl
- Hydra
- Custom PHP shells and payloads
- Platform: Windows with WSL2 (Kali Linux)
- Web Server: Apache 2.4.63
- Database: MariaDB
- Target Application: DVWA (Low security level)
- Network: Isolated local network for testing
- All examples use
127.0.0.1ordvwa.localfor local testing - Firefox with proxy configuration for Burp Suite integration
- Commands are provided for both browser-based and CLI-based exploitation
- Basic understanding of web application security
- Familiarity with Linux command line
- Understanding of HTTP protocols
- Knowledge of SQL, PHP, and JavaScript basics
This material is provided for educational purposes. The author assumes no liability for misuse of this information. Always obtain proper authorization before conducting security testing.
Educational use only. Not for production environments.