OWSAP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
class Added platform check for ping command Mar 19, 2018
css Added files Jan 7, 2017
fonts Added files Jan 7, 2017
img Added OWASP image Mar 25, 2017
includes Added files Jan 7, 2017
js Added files Jan 7, 2017
pages Added files Jan 7, 2017
vendor Added files Jan 7, 2017
README.md Updated readme Jun 13, 2018
blind-sql-injection.php Fixed url Jan 7, 2017
brute-force.php Fixed url Jan 7, 2017
command-execution.php Fixed url Jan 7, 2017
composer.json Added files Jan 7, 2017
csrf.php Fixed url Jan 7, 2017
error-sql-injection.php Fixed url Jan 7, 2017
file-inclusion.php Fixed url Jan 7, 2017
index.php Updated content Mar 25, 2017
logout.php Added files Jan 7, 2017
phpinfo.php Added files Jan 7, 2017
reflected-xss.php Fixed url Jan 7, 2017
setup.php Added files Jan 7, 2017
stored-xss.php Fixed url Jan 7, 2017
ws-socket.php Added files Jan 7, 2017

README.md

OWASP Damn Vulnerable Web Sockets (DVWS)

OWASP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication. The flow of the application is similar to DVWA. You will find more vulnerabilities than the ones listed in the application.

https://www.owasp.org/index.php/OWASP_Damn_Vulnerable_Web_Sockets_(DVWS)

Requirements

In the hosts file of your attacker machine create an entry for dvws.local to point at the IP address hosting the DVWS application.

Location of hosts file:

Windows: C:\windows\System32\drivers\etc\hosts

Linux: /etc/hosts

Sample entry for hosts file:

192.168.100.199         dvws.local

The application requires the following:

Apache + PHP + MySQL

PHP with MySQLi support

Ratchet

ReactPHP-MySQL

Note: Ratchet and ReactPHP-MySQL are packaged inside DVWS. Separate installation is not required.

Setting up DVWS

Set the MySQL hostname, username, password and an existing database name in the includes/connect-db.php file then go to Setup to finish setting up DVWS.

Running DVWS

On the host running this application, run the following command from DVWS directory: php ws-socket.php

Important Note

DVWS has been developed with limited knowledge of Web Sockets. Feel free to contribute and enhance this project.

Screenshot

image