Skip to content

Installing DVWA in Docker

This is the start of a series where I will user DVWA to teach some basic Vulnerabilities using the DVWA frame work. To start with we need to install DVWA and the best tool to install it with is Docker. This allows us to spin it up quickly on various platforms.

What is DVWA?

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

It has vulnerabilities in PHP, mysql, file inclusion, Command Injection, and more. In this Article I describe the process of Installing DVWA in Docker.

So let’s get into it.

Set up for Installing DVWA

I will use my favourite BlackArch Linux install that I did in a previous blog post. For this write-up you can use any other flavour of Linux, for example BlackArch, Kali or any other modern Linux install with docker. As I use only ArchLinux based distributions the commands in this post will be for that platform only.

Also required is a network connection to the Internet. Without this you cant install Docker.

Installing Docker

If your using BlackArch or just ArchLinux then installation of docker is simple.

First update to the latest version of BlackArch/Arch

sudo pacman -Syu

Then install Docker.

sudo pacman -S docker

Installing DVWA

The docker image we will use is called “vulnerables/web-dvwa” and is available on docker hub. We can pull down the DVWA docker image with the below.

sudo docker pull vulnerables/web-dvwa
docker pull

Below is the command we use for running DVWA

1
docker run --rm -it -p 8080:80 --name=dvwa vulnerables/web-dvwa

The optons are,

  • –rm, Don’t save the state and delete the container when it stops running.
  • -it, Keep the container interactive so we can connect to it.
  • -d, Demonize the container so it keeps running in the background.
  • -p 80:8080, run the docker image on my system Loopback address at 127.0.0.1 on port 8080.
  • -name, This is the name of the Container that Docker will know it by.

Now, that was easy! All going well if should be able to open “http://127.0.0.1:8080” in Firefox and DVWA should be reachable.

Configuring DVWA

dvwa

Default login is

  • Username: admin
  • password: password

On the first run this will bring up the Database Setup page. Warning: because we used “–rm” when creating the docker image whatever we do here is not saved if the docker container is stopped.

dvwa setup

Let’s Initialize the Database by clicking the “Create/Reset Database” button.

Now DVWA will ask you to login again and its ready for action.

Our First DVWA Vulnerability

Once logged back in there is a menu on the right has side that lists all the vulnerabilities that can be exploited. Let’s take a look at one “Command Injection”

dvwa command injection

This screen asks us to put in a IP address and it can be pinged. Lets try it by putting in Googles DNS server ip “8.8.8.8”

dvwa command injection

Seems to do a command line ping. Command Injection are when you take a the function of a command and change what’s its suppose to do. In the example we just gave you can see the output from a ping command. It doesn’t expect to do anything else. What if we added something unexpected to the end of that IP address?

Like 8.8.8.8;whoami

In Linux and other Unix type operating Systems you can chain commands on a single command line with a delimiter. In this case the delimiter is the semi-colon “;”.

See example below.

command injection

I ran date, whoami and uptime commands on the same command line prompt. We can try it in the DVWA by imputing the below into the field “Enter an IP address:“.

8.8.8.8;whoami
dvwa injection

Bingo! See the “www-data” that’s the output from the “whoami” command. You can replace “whoami” with any Linux command and it will work.

Conclusion

I hoped you learned something from this post and if you have any comments please leave them below.

Published inDockerDVWAGetting Started With CTF ChallengesIT & SecurityLinux

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *