DVWA is an intentionally vulnerable web application that you can install on your server to test vulnerability scanners or to practice penetration testing. You may want to use DVWA to test the capabilities of the Acunetix vulnerability scanner and compare it to similar tools. This article explains how to set up Acunetix to scan the DVWA application.
Download and Install DVWA
- Download DVWA from http://www.dvwa.co.uk/
- Install DVWA on your test server according to the instructions in the DVWA GitHub repository. Ensure that the server is not accessible from the Internet.
Note: For the purposes of this article, we used http://acunetix.dvwa.com as the address of the test server. This is not a publicly accessible server. You must change the address in the examples below to reflect your installation.
- Test if the DVWA application works correctly by going to the URL and logging in using the username admin and the password password.
Configure Acunetix to Scan DVWA
- Add DVWA as a target in Acunetix. Click on the Targets menu on the left and then click on the Add Target option in the Targets menu. Enter your DVWA URL in the Address field.
Note: Add the root URL not the login.php script address, for example, http://acunetix.dvwa.com not http://acunetix.dvwa.com/login.php. - Click on the Targets menu on the left and click on the http://acunetix.dvwa.com target.
- Set the Business Criticality to Low to signify that scanning this application will not have any effect on the performance of your organization.
- Click on the Site Login option to open the Site Login section.
- Click on the Use pre-recorded login sequence option.
- Click on the New link below the Login Sequence field to open the Login Sequence Recorder (LSR). The DVWA login screen will be displayed.
- Enter the DVWA credentials in the LSR (admin/password).
- Click on the Next button to proceed to configure restrictions.
- Click on the
icon above the right panel. - Enter the following in the Restriction field below:
GET http://acunetix.dvwa.com/logout.php HTTP/1.1 - Repeat steps 8 and 9 for the following four values:
GET http://acunetix.dvwa.com/security.php HTTP/1.1 GET http://acunetix.dvwa.com/phpinfo.php HTTP/1.1 GET http://acunetix.dvwa.com/setup.php HTTP/1.1 GET http://acunetix.dvwa.com/instructions.php HTTP/1.1
- Click on the Next button to have LSR identify the session and click on the Finish button when identification is complete.
- Scroll down to the Crawling section of the target configuration page.
- In the Excluded Paths field, enter the following regular expression:
^\/vulnerabilities/csrf/.*$And click on the + button to add it.
- Repeat the previous step and add the following regular expression:
^\/vulnerabilities/captcha/.*$
Scan the Target
Once the configuration is complete, you can scan the target. To identify all vulnerabilities, use the Full Scan type. We also recommend running this scan using Moderate scan speed to ensure that no requests are lost due to the target being flooded.
- Click on the Targets menu on the left and click on the http://acunetix.dvwa.com target.
- Set the Scan Speed to Moderate.
- Click on the Save button in the top-right corner and then the Scan button to open the Choose Scanning Options box.
- Make sure that Full Scan is selected in the Scan Type field and then click on the Create Scan button.
Based on independent reports from other vulnerability scanners, the DVWA application has various vulnerabilities including brute force login, command execution, CSRF, file inclusion, SQL Injection, upload vulnerability, and XSS. Our scans using Acunetix identified 75 vulnerabilities: 16 critical, 37 medium, 22 low, and 6 informational. You can use these results as a benchmark to confirm that your DVWA scan ran successfully.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Technical Support Engineer Acunetix.
