This project simulates real-world web attacks on the Damn Vulnerable Web Application (DVWA) hosted on Metasploitable, using Kali Linux as the attacker. It demonstrates core OWASP vulnerabilities with tools like SQLmap, Hydra, Burp Suite, and manual testing techniques.
| VM | Role | Description |
|---|---|---|
| Kali Linux | Attacker | Nmap, SQLmap, Hydra, Burp Suite |
| Metasploitable | Target | DVWA (SQLi, XSS, CSRF, CMD Injection) |
Network: Bridged, same subnet
dvwa-vapt-lab/ βββ docs/ β βββ DVWA_VAPT_Report.docx β βββ DVWA_VAPT_Report.pdf βββ screenshots/ βββ README.md βββ attack_walkthrough.md βββ vulnerability_findings.md βββ csrf_attack.html (PoC file if CSRF-medium)
| Attack Type | Tool | Notes |
|---|---|---|
| SQL Injection | SQLmap | DB enumeration, bypass login |
| Command Injection | Browser/Burp | Executed id, uname -a |
| Auth Bypass | Manual | ' or '1'='1 exploited login form |
| FTP Brute Force | Hydra | Cracked msfadmin via vsftpd |
| XSS (Reflected/Stored) | Browser | Alert popups captured |
| CSRF (Medium Security) | HTML PoC | Tokenless GET attack crafted & worked |
- Full walkthrough:
attack_walkthrough.md - Vulnerability descriptions:
vulnerability_findings.md - Final report:
docs/DVWA_VAPT_Report.docx
Found in /screenshots folder β includes commands, Burp Suite captures, payloads, and success indicators.
This project demonstrates practical offensive security skills, tool usage, manual and automated exploitation, and modern reporting β all documented in a reproducible GitHub repository.