This project provides a guide for setting up Damn Vulnerable Web Application (DVWA) on a cloud VM and testing it using Parrot OS running locally.
Note: This project is not affiliated with or endorsed by the original DVWA project.
For the official DVWA repository, please visit https://github.com/digininja/DVWA
- Cloud VM: Hosts DVWA, accessible only through SSH tunneling
- Local Machine: Runs Parrot OS in a virtual machine for penetration testing
This setup allows for a secure, isolated environment to practice ethical hacking techniques.
- Cloud VM (Google Cloud or AWS) running DVWA
- Local VM running Parrot OS
- SSH tunneling for secure access to DVWA
- DVWA is isolated in the cloud, reducing risk to your local network
- Parrot OS provides a full suite of penetration testing tools
- SSH tunneling ensures secure access to the vulnerable application
- Cloud VM Setup
- DVWA Installation
- Accessing DVWA
- Using Parrot OS for Testing
- Vulnerability Testing Guide
- Security Considerations
- Disclaimer
- Create a VM instance on AWS EC2 or Google Cloud Platform.
- Choose a Ubuntu 20.04 LTS image.
- Configure security groups/firewall rules to allow SSH access only.
- Generate and download SSH keys.
-
SSH into your VM:
Copy
ssh -i your-key.pem ubuntu@your-instance-ip # For AWS
-
Update system and install dependencies:
Copy
sudo apt install -y apache2 php php-mysqli php-gd libapache2-mod-php git mysql-server
-
Clone DVWA:
Copy
cd /var/www/html
sudo git clone https://github.com/digininja/DVWA.git
-
Configure DVWA: Update database settings, ensure 'db_server' is set to '127.0.0.1'.
Copy
sudo cp /var/www/html/DVWA/config/config.inc.php.dist /var/www/html/DVWA/config/config.inc.php
sudo nano /var/www/html/DVWA/config/config.inc.php
-
Set up MySQL:
Copy
sudo mysql
CREATE DATABASE dvwa;
CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'secure_password';
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost';
FLUSH PRIVILEGES;
EXIT;
- Configure Apache:
Copy
sudo nano /etc/apache2/sites-available/000-default.conf
Change DocumentRoot to `/var/www/html/DVWA`
-
Restart Apache:
Copy
sudo systemctl restart apache2
-
Set up an SSH tunnel: gcloud compute ssh dvwa-vm --zone=your-zone -- -L 8080:localhost:80 # For GCP ssh -i your-key.pem -L 8080:localhost:80 ubuntu@your-instance-ip # For AWS Copy
-
Access DVWA through your browser at
http://localhost:8080 -
Click on start/reset databsae at the bottome of the webpage
-
Log in with default credentials: admin / password
- Download and install Parrot OS Security Edition as a VM.
- Ensure Parrot OS VM and your cloud VM are on isolated networks.
- Use Parrot's built-in tools for testing DVWA vulnerabilities.
Parrot OS includes tools for testing each of DVWA's vulnerabilities:
- Brute Force: Use Hydra or Medusa
- Command Injection: Manual testing and custom scripts
- CSRF: Burp Suite's CSRF PoC generator
- File Inclusion: Manual testing and custom scripts
- File Upload: Upload potential malicious files (non-executable in this context)
- Insecure CAPTCHA: Manual testing
- SQL Injection: SQLmap
- SQL Injection (Blind): SQLmap with --blind flag
- Weak Session IDs: Burp Suite Sequencer
- XSS (DOM, Reflected, Stored): XSSer and manual testing
- CSP Bypass: Manual testing and CSP Evaluator
- JavaScript: Browser's Developer Tools
- Authorization Bypass: Manual testing and Burp Suite
- Open HTTP Redirect: Manual testing and OWASP ZAP
- Keep the VM firewalled and accessible only through SSH.
- Use strong, unique passwords for all services.
- Regularly update the VM's operating system and installed software.
- Never use this setup for testing systems you don't own or have explicit permission to test.
This setup is for educational purposes only. Never use these techniques or tools against systems you do not own or have explicit permission to test. The user assumes all responsibility for the use of this information.