This project is a hands-on walkthrough demonstrating how to:
- Build a local vulnerable web application lab
- Identify common web security flaws
- Document findings with evidence
- Apply secure coding fixes
- Harden database access controls
- Publish a professional security project to GitHub
- 💉 SQL Injection
⚠️ Cross-Site Scripting (XSS)- 🔐 Cross-Site Request Forgery (CSRF)
- 🗄️ Database Security Hardening
- 📸 Documentation and Evidence Collection
- 🚀 Publishing a Security Project to GitHub
By following this guide, you gain exposure to both:
- Offensive vulnerability identification
- Defensive remediation techniques
| Tool | Purpose |
|---|---|
| XAMPP | Apache / PHP / MySQL local environment |
| DVWA | Vulnerable application for testing |
| VS Code | Code editing |
| Microsoft Word | Final report |
| Chrome or Firefox | Browser testing |
| Git | Version control |
| GitHub | Repository publishing |
https://www.apachefriends.org/download.html
https://github.com/digininja/DVWA
https://code.visualstudio.com/
Create:
Week6_Databases_Lab_Submission
Inside it create:
Final_Report
Screenshots
Code_Snippets
Database_Logs
GitHub_Upload
Week6_Databases_Lab_Submission
│
├── Final_Report
├── Screenshots
├── Code_Snippets
├── Database_Logs
└── GitHub_Upload
Open:
XAMPP Control Panel
Start:
Apache
MySQL
Both should turn green.
Capture:
- Apache running
- MySQL running
Save as:
Screenshot_01_XAMPP_Running.png
Download DVWA.
Extract ZIP.
Rename folder:
dvwa
Move it to:
C:\xampp\htdocs\
Final path:
C:\xampp\htdocs\dvwa
Capture DVWA inside:
htdocs
Save:
Screenshot_02_DVWA_In_HTDOCS.png
Open:
C:\xampp\htdocs\dvwa\config\config.inc.php
Set:
$_DVWA['db_user']='root';
$_DVWA['db_password']='';Save.
Capture configuration changes.
Open:
http://localhost/dvwa/setup.php
Click:
Create / Reset Database
Capture successful setup.
Open:
http://localhost/dvwa/login.php
Login:
admin
password
Set security:
Low
Capture security setting.
Navigate:
DVWA → SQL Injection
Payload:
1' OR '1'='1Submit.
Observe multiple records returned.
Capture exploit result.
$query="SELECT * FROM users WHERE id='$id'";$stmt=$pdo->prepare(
"SELECT * FROM users WHERE user_id=?"
);
$stmt->execute([$id]);- Screenshot 7 — Vulnerable code
- Screenshot 8 — Remediated code
Navigate:
DVWA → XSS Reflected
Input:
<script>alert('XSS')</script>Submit.
Capture XSS result.
echo $_GET['name'];echo htmlspecialchars(
$_GET['name'],
ENT_QUOTES,
'UTF-8'
);Screenshots:
- Screenshot 10 — Vulnerable code
- Screenshot 11 — Fixed code
Navigate:
DVWA → CSRF
Change password:
test123
Submit.
Capture result.
if(
!hash_equals(
$_SESSION['csrf_token'],
$_POST['csrf_token']
)
){
die('Invalid CSRF token');
}Include:
<input type="hidden"
name="csrf_token"
value="<?php echo $_SESSION['csrf_token']; ?>">Screenshots:
- Screenshot 13 — Vulnerable
- Screenshot 14 — Fixed
Open:
http://localhost/phpmyadmin
Run:
CREATE USER 'webuser'@'localhost'
IDENTIFIED BY 'StrongPassword123!';GRANT SELECT,INSERT,UPDATE
ON dvwa.*
TO 'webuser'@'localhost';FLUSH PRIVILEGES;SHOW GRANTS FOR 'webuser'@'localhost';Capture grants output.
Security concepts applied:
- ✅ Least privilege
- ✅ Reduced attack surface
- ✅ Separation of duties
Include:
- Vulnerability Report
- Applied Fixes
- Database Configuration Enhancements
- Screenshots and Logs
- Reflection
- Submission Checklist
Save:
Week6_Databases_Lab_Final_Report.docx
Commands used:
git init
git add .
git commit -m "Add database web application vulnerability assessment"
git branch -M main
git push -u origin mainRepository:
https://github.com/ericsledge/WebApp-Database-Vulnerability-Assessment
Complete package should contain:
- Final report
- 15 screenshots
- Code snippets
- Database hardening commands
- GitHub repository
- ZIP submission folder
- Web Application Security Testing
- Vulnerability Analysis
- Secure Coding Practices
- Database Hardening
- Technical Documentation
- Git / GitHub Version Control