Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
Dockerfile
README.md
dvwa.conf
sources.list

README.md

DVWA docker

使用 Docker 部署的 DVWA 1.9, build 后直接使用即可。系统基于 ubuntu 14.04 版本, 服务器采用 apache2 + mysql + php5 搭建。

如何使用

  1. 创建 docker 镜像(image)
$ docker build -t dvwa .
  1. 创建 docker 容器(container)
# 交互创建一个容器, 本容器 80 端口映射到宿主机的 8082 端口上
$ docker run -it --name dvwa_vul -p 0.0.0.0:8082:80 dvwa /bin/bash
# 后台运行
$ docker run -d --name dvwa_vul -p 0.0.0.0:8082:80 dvwa
# 进入一个已经运行的容器
$ docker exec -it dvwa_vul sh

配置说明

  • mysql 账号

root/

  • apache2 工作目录

/var/www/html/

  • DVWA 账号

admin/password

DVWA 特性

OWASP Top 10 2010:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

Some of the web application vulnerabilities which DVWA contains

  • Brute Force
  • Command Execution
  • Cross Site Request Forgery (CSRF)
  • File Inclusion
  • SQL Injection
  • Insecure File Upload
  • Cross Site Scripting (XSS)
  • Full path Disclosure
  • Authentication bypass
  • some others.

Links

  • Brute Force/Weak Passwords;

http://127.0.0.1/dvwa/login.php

http://127.0.0.1/dvwa/vulnerabilities/brute/

  • Command Execution;

http://127.0.0.1/dvwa/vulnerabilities/exec/

  • Cross Site Request Forgery (CSRF);

http://127.0.0.1/dvwa/vulnerabilities/csrf/

  • File Inclusion;

http://127.0.0.1/dvwa/vulnerabilities/fi/?page=include.php

  • SQL Injection;

http://127.0.0.1/dvwa/vulnerabilities/sqli/

http://127.0.0.1/dvwa/vulnerabilities/brute/

  • Insecure File Upload;

http://127.0.0.1/dvwa/vulnerabilities/upload/

  • Reflected Cross Site Scripting;

http://127.0.0.1/dvwa/vulnerabilities/xss_r/

  • Stored Cross Site Scripting;

http://127.0.0.1/dvwa/vulnerabilities/xss_s/

  • Full path Disclosure;

Site wide. Set PHPSESSID to NULL. (Null Session Cookie) http://www.owasp.org/index.php/Full_Path_Disclosure

  • Authentication bypass;

http://127.0.0.1/dvwa/setup.php

参考链接