使用 Docker 部署的 DVWA 1.9, build 后直接使用即可。系统基于 ubuntu 14.04 版本, 服务器采用 apache2 + mysql + php5 搭建。
- 创建 docker 镜像(image)
$ docker build -t dvwa .- 创建 docker 容器(container)
# 交互创建一个容器, 本容器 80 端口映射到宿主机的 8082 端口上
$ docker run -it --name dvwa_vul -p 0.0.0.0:8082:80 dvwa /bin/bash
# 后台运行
$ docker run -d --name dvwa_vul -p 0.0.0.0:8082:80 dvwa
# 进入一个已经运行的容器
$ docker exec -it dvwa_vul sh- mysql 账号
root/
- apache2 工作目录
/var/www/html/
- DVWA 账号
admin/password
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
- Brute Force
- Command Execution
- Cross Site Request Forgery (CSRF)
- File Inclusion
- SQL Injection
- Insecure File Upload
- Cross Site Scripting (XSS)
- Full path Disclosure
- Authentication bypass
- some others.
- Brute Force/Weak Passwords;
- Command Execution;
- Cross Site Request Forgery (CSRF);
- File Inclusion;
- SQL Injection;
- Insecure File Upload;
- Reflected Cross Site Scripting;
- Stored Cross Site Scripting;
- Full path Disclosure;
Site wide. Set PHPSESSID to NULL. (Null Session Cookie) http://www.owasp.org/index.php/Full_Path_Disclosure
- Authentication bypass;