DVWA now comes on its own bootable LiveCD!

‘

You can burn the ISO image onto a disc and boot DVWA or you can create a Virtual Machine from the ISO in VirtualBox (opensource) or VMware. The LiveCD for now will only be available as a torrent. It has never been easier to download and run DVWA! The initial LiveCD is based on DVWA v1.0.6.

‘

The LiveCD was entirely developed by Duncan Alderson (@webantix) from http://www.webantix.net/.

A massive thanks to him from the whole DVWA community!

‘

Download Torrent: DVWA-1.0.6.iso.torrent (please seed!)

‘

UPDATE 24/02/2010 —

The DVWA login credentials are dvwa:password

‘

Thanks to everyone for seeding!

DVWA v1.0.6 will be intergrated with the fantastic SamuraiWTF (Web Testing Framework) version 0.8 Live CD.

‘

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

‘

This is great news for the DVWA project and we are all very exited!

‘

SamuraiWTF: http://samurai.inguardians.com/

DVWA v1.0.6 has been released. The changes are mainly bug fixes and a couple of tweaks here and there.

‘

Changelog:

Fixed a bug where the logo would not show on first time use. 03/09/2009 (ethicalhack3r)
Removed ‘current password’ input box for low+med CSRF security. 03/09/2009 (ethicalhack3r)
Added an article which was written for OWASP Turkey. 03/10/2009 (ethicalhack3r)
Added more toubleshooting information. 02/10/2009 (ethicalhack3r)
Stored XSS high now sanitises output. 02/10/2009 (ethicalhack3r)
Fixed a ‘bug’ in XSS stored low which made it not vulnerable. 02/10/2009 (ethicalhack3r)
Rewritten command execution high to use a whitelist. 30/09/09 (ethicalhack3r)
Fixed a command execution vulnerability in exec high. 17/09/09 (ethicalhack3r)
Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (ethicalhack3r)
Added the upload directory to the upload help. 17/09/09 (ethicalhack3r)

‘
Download

Damn Vulnerable Web App (DVWA) v1.0.5 has been officially released today at 18:30 GMT on the 03/09/2009 after 3 months of work.

‘
Whats new?
Complete re-code.
Complete re-design.
CSRF vulnerability.
Stored XSS vulnerability.
Full Path Disclosure vulnerability.
Login page.
Sessions.
Many bug fixes.
PHPIDS implementation.
+ much more

‘

DOWNLOAD

DVWA v1.0.5 will be released in the near future sporting many changes including more vulnerabilities and features.

‘

Since version 1.0.4 we have a bigger open source community which have pushed DVWA to a whole new level, with out them the project couldn’t be what it is today.

‘

DVWA v1.0.5 change log:

Complete re-code.

Complete re-design.

CSRF vulnerability.

Stored XSS vulnerability.

Full Path Disclosure vulnerability.

Login page.

Sessions.

Many bug fixes.

PHPIDS implementation.

+ much more

‘

We are looking for sponsors for version 1.0.5 and future versions. If you would like to reach thousands of security professionals and students DVWA is for you. If you would like to sponsor our great project please email sales[A]ethicalhack3r.co.uk.

‘

Alternatively if you have found DVWA useful you can donate funds to the project here or contribute and become a member of the project here.

‘

You can download and give DVWA v1.0.5 a try before its release by downloading the development version of DVWA from sourceforge.

‘

DVWA v1.0.5 screenshots:

‘

Id like to thank the DVWA team for their contributions to the project, jamesr, Tedi and Craig Bryson to name a few. I would also like to thank every one who has blogged, tweeted, given feedback, made videos and podcast-ed DVWA.

Ever wanted to set up a complete web application penetration testing lab with all the best tools available? Here is an awesome video by www.securityaegis.com to show you how to do it.
‘

Web App Lab Setup from Laz3r (of Securityaegis.com) on Vimeo.

‘
For a full write up on how to do this or for more information check out their original blog post:
http://www.securityaegis.com/?p=574

Here is the video from my presentation on dvwa at the SuperMondays event in Newcastle Upon Tyne.

‘

‘

I think I must hold the record for the amount of “ammm…” ’s in a 16 minute period! My first public talk so much room for improvement.

After a month of coding Damn Vulnerable Web App (dvwa) v1.0.4 is ready for download.

‘

dvwa v1.0.4 has many changes from the 1.0.3 version. Mostly bug fixes and better design changes.

‘

1.0.4 Change log:

Added acunetix scan report. 24/06/2009
All links use http://hiderefer.com to hide referrer header. 23/06/2009
Updated/added ‘more info’ links. 23/06/2009
Moved change log info to CHANGELOG.txt. 22/06/2009
Fixed the exec.php UTF-8 output. 16/06/2009
Moved Help/View source buttons to footer. 12/06/2009
Fixed phpInfo bug. 12/06/2009
Made dvwa IE friendly. 11/06/2009
Fixed html bugs. 11/06/2009
Added more info to about page. 03/06/2009
Added pictures for the users. 03/06/2009
Fixed typos on the welcome page. 03/06/2009
Improved README.txt and fixed typos. 03/06/2009
Made SQL injection possible in sqli_med.php. Thanks to Teodor Lupan. 03/06/2009

‘

Any suggestions/feedback/contributions welcome!

‘

Download: http://sourceforge.net/projects/dvwa

That’s right, YOU!

‘

Damn Vulnerable Web App is an open source project and in order for it to be successful we need your contributions. So far dvwa has been solely developed by me with some help from a couple of friends, I my self cannot make the project as successful as it can be.

‘

We need contributions of any kind, suggestions, design, marketing, coding, ect…

‘

What benefits are their to contributing to an open source project? Lots! It enables you to enhance your skills/knowledge, it looks good on your CV, it gets your name/website around, it shows future employers that your dedicated to enhancing the security industry and much more…

‘

What we need:

Make the CSS cross platform.

Improve the current vulnerabilities.

Develop more vulnerabilities.

Improve the design/look/feel.

Design a logo.

Improve the code.

Get the word out.

Feedback.

Suggestions.

‘

How to contribute:

‘

You can contribute by leaving messages on this blog or by emailing .  All code/content contributors can have their name/link on the about page in dvwa (if they wish).

I decided to make a video on installing and running dvwa, this is my first video so if I sound nervous its because I am.

‘

Hope you enjoy it…

‘

‘

Comments welcome, good or bad.