Since the Indonesian Government and Legislative Body published Cyber Law (UU No. 11/2008) in 2008, there is a potential that one will go to jail because of testing web application belongs to other organization.
So you may ask : “How do I learn about web application security, if there is no playground for that ?”.
Luckily there is a project called “Damn Vulnerable Web Application”. According to its website :
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
In its latest release (version 1.0.5), it has the following vulnerabilities :
- Brute Force Login
- File Inclusion
- Command Execution
- Stored Cross Site Scripting
- Reflective Cross Site Scripting
- Cross Site Request Forgery
- SQL Injection
- Full Path Disclosure
and many other features.
The installation process is easy if you use XAMPP.
So what are you waiting for…just grab the DVWA code and play with it. But don’t upload it to a computer that is accessible from the Internet, because it has so many vulnerabilities that can be exploited.
Here is the screenshot of DVWA :