Overclock Web Application (OCWA) is a PHP/MariaDB web application that is intentially vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
The aim of OCWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
Overclock Web Application is vulnerable! Do not upload it to your hosting provider's public html folder or any Internet facing servers, as they will be compromised. It is recommended using a virtual machine (such as VirtualBox or VMware), which is set to NAT networking mode. Inside a guest machine, you can download and install XAMPP for the web server and database.
We do not take responsibility for the way in which any one uses this application (OCWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing OCWA on to live web servers. If your web server is compromised via an installation of OCWA, it is not our responsibility, it is the responsibility of the person/s who uploaded and installed it.
git clone https://github.com/0x31i/OCWA.gitOr download a ZIP of the files.
An automated configuration script for DVWA on Debian-based machines, including Kali, Ubuntu, Kubuntu, Linux Mint, Zorin OS...
Note: This script requires root privileges and is tailored for Debian-based systems. Ensure you are running it as the root user.
- Operating System: Debian-based system (Kali, Ubuntu, Kubuntu, Linux Mint, Zorin OS)
- Privileges: Execute as root user
-
This will download an install script written by @0x31i and run it automatically.
sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/0x31i/OCWA-Script/main/Install-OCWA.sh)" -
Automatically make Debian vulnerable, and generate flags:
sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/0x31i/OCWA-Script/main/Debian-Setup.sh)" -
Configure Apache
sudo sed -i.backup 's|DocumentRoot /var/www/html.*|DocumentRoot /var/www/html/OC|g' /etc/apache2/sites-available/000-default.conf && sudo apache2ctl configtest && sudo service apache2 restart
-
Download the script:
wget https://raw.githubusercontent.com/0x31i/OCWA-Script/main/Install-OCWA.sh
-
Make the script executable:
chmod +x Install-OCWA.sh
-
Run the script as root:
sudo ./Install-OCWA.sh
Ideally you should be using the latest stable version of PHP as that is the version that this app will be developed and tested on.
Support will not be given for anyone trying to use PHP 5.x.
Versions less than 7.3 have known issues that will cause problems, most of the app will work, but random things may not. Unless you have a very good reason for using such an old version, support will not be given.
If you are using a Debian based Linux distribution, you will need to install the following packages (or their equivalent):
- apache2
- libapache2-mod-php
- mariadb-server
- mariadb-client
- php php-mysqli
- php-gd
I would recommend doing an update before this, just so you make sure you are going to get the latest version of everything.
apt update
apt install -y apache2 mariadb-server mariadb-client php php-mysqli php-gd libapache2-mod-phpThe site will work with MySQL instead of MariaDB but we strongly recommend MariaDB as it works out of the box whereas you have to make changes to get MySQL to work correctly.
If you want to use the API lab you must have the Apache module mod_rewrite enabled. To do this in Linux run:
a2enmod rewrite
And then restart Apache with:
apachectl restart
If you want to use the API module you will need to install a set of vendor files using Composer.
First, make sure you have Composer installed. There seem to be backward compatibility issues so I always get the latest version from here:
https://getcomposer.org/doc/00-intro.md
Follow the instructions the site gives to get it installed.
Now go into the vulnerabilities/api directory and run:
composer.phar install
If you did not install Composer to the system path, make sure you reference its full location.
OCWA ships with a dummy copy of its config file which you will need to copy into place and then make the appropriate changes. On Linux, assuming you are in the OCWA directory, this can be done as follows:
cp config/config.inc.php.dist config/config.inc.php
On Windows, this can be a bit harder if you are hiding file extensions, if you are unsure about this, this blog post explains more about it:
How to Make Windows Show File Extensions
Instead of modifying the configuration file, you can also set most settings using environment variables. In a Docker or Kubernetes deployment, this allows you to modify the configuration without creating a new Docker image. You'll find the variables in the config/config.inc.php.dist file.
If you want to set the default security level to "low", simply add the following line to the compose.yml file:
environment:
- DB_SERVER=db
- DEFAULT_SECURITY_LEVEL=lowTo set up the database, simply click on the Setup DVWA button in the main menu, then click on the Create / Reset Database button. This will create / reset the database for you with some data in.
If you receive an error while trying to create your database, make sure your database credentials are correct within ./config/config.inc.php. This differs from config.inc.php.dist, which is an example file.
The variables are set to the following by default:
$_DVWA[ 'db_server'] = '127.0.0.1';
$_DVWA[ 'db_port'] = '3306';
$_DVWA[ 'db_user' ] = 'dvwa';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
$_DVWA[ 'db_database' ] = 'dvwa';Note, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can't use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands:
MariaDB [(none)]> create database dvwa;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> create user dvwa@localhost identified by 'p@ssw0rd';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> grant all on dvwa.* to dvwa@localhost;
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
Some tools don't work well with authentication so can't be used with DVWA. To get around this, there is a config option to disable authentication checking. To do this, simply set the following in the config file:
$_DVWA[ 'disable_authentication' ] = true;You will also need to set the security level to one that is appropriate to the testing you want to do:
$_DVWA[ 'default_security_level' ] = 'low';In this state, you can access all the features without needing to log in and set any cookies.
./hackable/uploads/- Needs to be writeable by the web service (for File Upload).
On Linux systems, likely found in /etc/php/x.x/fpm/php.ini or /etc/php/x.x/apache2/php.ini.
-
To allow Remote File Inclusions (RFI):
allow_url_include = on[allow_url_include]allow_url_fopen = on[allow_url_fopen]
-
To make sure PHP shows all error messages:
display_errors = on[display_errors]display_startup_errors = on[display_startup_errors]
Make sure you restart the php service or Apache after making the changes.
This is only required for the "Insecure CAPTCHA" lab, if you aren't playing with that lab, you can ignore this section.
Generated a pair of API keys from https://www.google.com/recaptcha/admin/create.
These then go in the following sections of ./config/config.inc.php:
$_DVWA[ 'recaptcha_public_key' ]$_DVWA[ 'recaptcha_private_key' ]
Default username = admin
Default password = password
...can easily be brute forced ;)
Login URL: http://127.0.0.1/login.php
Note: This will be different if you installed DVWA into a different directory.
These assume you are on a Debian based distro, such as Debian, Ubuntu and Kali. For other distros, follow along, but update the command where appropriate.
If you'd rather watch a video than read words, the most common issues are covered in the video Fixing DVWA Setup Issues.
If you are using Docker Desktop, logs can be accessed from the graphical application. Some minor details may change with newer versions, but the access method should be the same.
Logs can also be accessed from the terminal.
-
Open a terminal and change its working directory to DVWA
-
Show the merged logs
docker compose logs
In case you want to export the logs to a file, e.g.
dvwa.logdocker compose logs > dvwa.log
We don't use port 80 by default for a few reasons:
- Some users might already be running something on port 80.
- Some users might be using a rootless container engine (like Podman), and 80 is a privileged port (< 1024). Additional configuration (e.g. setting
net.ipv4.ip_unprivileged_port_start) is required, but you will have to research on your own.
You can expose DVWA on a different port by changing the port binding in the compose.yml file.
For example, you can change
ports:
- 127.0.0.1:4280:80to
ports:
- 127.0.0.1:8806:80DVWA is now accessible at http://localhost:8806.
In cases in which you want DVWA to not only be accessible exclusively from your own device, but
on your local network too (e.g. because you are setting up a test machine for a workshop), you
can remove the 127.0.0.1: from the port mapping (or replace it with you LAN IP). This way it
will listen on all available device. The safe default should always be to only listen on your
local loopback device. After all, it is a damn vulnerable web application, running on your machine.
The included compose.yml file automatically runs DVWA and its database when Docker starts.
To disable this, you can delete or comment out the restart: unless-stopped lines in the compose.yml file.
If you want to disable this behavior temporarily, you can run docker compose stop, or use Docker Desktop, find dvwa and click Stop.
Additionally, you can delete the containers, or run docker compose down.
On Linux systems Apache generates two log files by default, access.log and error.log and on Debian based system these are usually found in /var/log/apache2/.
When submitting error reports, problems, anything like that, please include at least the last five lines from each of these files. On Debian based systems you can get these like this:
tail -n 5 /var/log/apache2/access.log /var/log/apache2/error.logIf you are having this problem you need to understand file locations. By default, the Apache document root (the place it starts looking for web content) is /var/www/html. If you put the file hello.txt in this directory, to access it you would browse to http://localhost/hello.txt.
If you created a directory and put the file in there - /var/www/html/mydir/hello.txt - you would then need to browse to http://localhost/mydir/hello.txt.
Linux is by default case sensitive and so in the example above, if you tried to browse to any of these, you would get a 404 Not Found:
http://localhost/MyDir/hello.txthttp://localhost/mydir/Hello.txthttp://localhost/MYDIR/hello.txt
How does this affect DVWA? Most people use git to clone DVWA into /var/www/html, this gives them the directory /var/www/html/DVWA/ with all the DVWA files inside it. They then browse to http://localhost/ and get either a 404 or the default Apache welcome page. As the files are in DVWA, you must browse to http://localhost/DVWA.
The other common mistake is to browse to http://localhost/dvwa which will give a 404 because dvwa is not DVWA as far as Linux directory matching is concerned.
So after setup, if you try to visit the site and get a 404, think about where you installed the files to, where they are relative to the document root, and what the case of the directory you used is.
This is usually one configuration issue hiding another issue. By default, PHP does not display errors, and so if you forgot to turn error display on during the setup process, any other problems, such as failure to connect to the database, will stop the app from loading but the message to tell you what is wrong will be hidden.
To fix this, make sure you set display_errors and display_startup_errors as covered in PHP Configuration and then restart Apache.
If you see the following when running the setup script it means the username or password in the config file do not match those configured on the database. Video Help
Database Error #1045: Access denied for user 'notdvwa'@'localhost' (using password: YES).
The error is telling you that you are using the username notdvwa.
The following error says you have pointed the config file at the wrong database. Video Help
SQL: Access denied for user 'dvwa'@'localhost' to database 'notdvwa'
It is saying that you are using the user dvwa and trying to connect to the database notdvwa.
The first thing to do is to double check what you think you put in the config file is what is actually there.
If it matches what you expect, the next thing to do is to check you can log in as the user on the command line. Assuming you have a database user of dvwa and a password of p@ssw0rd, run the following command:
mysql -u dvwa -pp@ssw0rd -D dvwaNote: There is no space after the -p
If you see the following, the password is correct:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 10.3.22-MariaDB-0ubuntu0.19.10.1 Ubuntu 19.10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [dvwa]>
As you can connect on the command line, it is likely something wrong in the config file, double check that and then raise an issue if you still can't get things working.
If you see the following, the username or password you are using is wrong. Repeat the Database Setup steps and make sure you use the same username and password throughout the process.
ERROR 1045 (28000): Access denied for user 'dvwa'@'localhost' (using password: YES)
If you get the following, the user credentials are correct but the user does not have access to the database. Again, repeat the setup steps and check the database name you are using.
ERROR 1044 (42000): Access denied for user 'dvwa'@'localhost' to database 'dvwa'
The final error you could get is this:
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
This is not an authentication issue but tells you that the database server is not running. Start it with the following
sudo service mysql startAn error similar to this one:
Fatal error: Uncaught mysqli_sql_exception: Connection refused in /var/sites/dvwa/non-secure/htdocs/dvwa/includes/dvwaPage.inc.php:535
Means your database server is not running or you've got the wrong IP address in the config file.
Check this line in the config file to see where the database server is expected to be:
$_DVWA[ 'db_server' ] = '127.0.0.1';Then go to this server and check that it is running. In Linux this can be done with:
systemctl status mariadb.serviceAnd you are looking for something like this, the important bit is that it says active (running).
β mariadb.service - MariaDB 10.5.19 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-03-14 16:04:25 GMT; 1 week 5 days agoIf it is not running, you can start it with:
sudo systemctl stop mariadb.service Note the sudo and make sure you put your Linux user password in if requested.
In Windows, check the status in the XAMPP console.
With the most recent versions of MySQL, PHP can no longer talk to the database in its default configuration. If you try to run the setup script and get the following message it means you have configuration.
Database Error #2054: The server requested authentication method unknown to the client.
You have two options, the easiest is to uninstall MySQL and install MariaDB. The following is the official guide from the MariaDB project:
https://mariadb.com/resources/blog/how-to-migrate-from-mysql-to-mariadb-on-linux-in-five-steps/
Alternatively, follow these steps:
-
As root, edit the following file:
/etc/mysql/mysql.conf.d/mysqld.cnf -
Under the line
[mysqld], add the following:default-authentication-plugin=mysql_native_password -
Restart the database:
sudo service mysql restart -
Check the authentication method for your database user:
mysql> select Host,User, plugin from mysql.user where mysql.user.User = 'dvwa'; +-----------+------------------+-----------------------+ | Host | User | plugin | +-----------+------------------+-----------------------+ | localhost | dvwa | caching_sha2_password | +-----------+------------------+-----------------------+ 1 rows in set (0.00 sec)
-
You'll likely see
caching_sha2_password. If you do, run the following command:mysql> ALTER USER dvwa@localhost IDENTIFIED WITH mysql_native_password BY 'p@ssw0rd';
-
Re-running the check, you should now see
mysql_native_password.mysql> select Host,User, plugin from mysql.user where mysql.user.User = 'dvwa'; +-----------+------+-----------------------+ | Host | User | plugin | +-----------+------+-----------------------+ | localhost | dvwa | mysql_native_password | +-----------+------+-----------------------+ 1 row in set (0.00 sec)
After all that, the setup process should now work as normal.
If you want more information see the following page: https://www.php.net/manual/en/mysqli.requirements.php.
The database server is not running. In a Debian based distro this can be done with:
sudo service mysql startThere are a few reasons you could be getting these errors, but the most likely is the version of database server you are running is not compatible with the version of PHP.
This is most commonly found when you are running the latest version of MySQL as PHP and it do not get on well. Best advice, ditch MySQL and install MariaDB as this is not something we can support.
For more information, see:
https://www.ryadel.com/en/fix-mysql-server-gone-away-packets-order-similar-mysql-related-errors/
You may be running into problems with SELinux. Either disable SELinux or run this command to allow the web server to talk to the database:
setsebool -P httpd_can_network_connect_db 1For the latest troubleshooting information please read both open and closed tickets in the git repo:
https://github.com/digininja/DVWA/issues
Before submitting a ticket, please make sure you are running the latest version of the code from the repo. This is not the latest release, this is the latest code from the master branch.
If raising a ticket, please submit at least the following information:
- Operating System
- The last 5 lines from the web server error log directly after whatever error you are reporting occurs
- If it is a database authentication problem, go through the steps above and screenshot each step. Submit these along with a screenshot of the section of the config file showing the database user and password.
- A full description of what is going wrong, what you expect to happen, and what you have tried to do to fix it. "login broken" is no enough for us to understand your problem and to help fix it.
I am going to try to put together some tutorial videos that walk through some of the vulnerabilities and show how to detect them and then how to exploit them. Here are the ones I've made so far:
Finding and Exploiting Reflected XSS
Support for this is limited, before raising issues, please ensure you are prepared to work on debugging, do not simply claim "it does not work".
By default, SQLi and Blind SQLi are done against the MariaDB/MySQL server used by the site but it is possible to switch to do the SQLi testing against SQLite3 instead.
I am not going to cover how to get SQLite3 working with PHP, but it should be a simple case of installing the php-sqlite3 package and making sure it is enabled.
To make the switch, simply edit the config file and add or edit these lines:
$_DVWA["SQLI_DB"] = "sqlite";
$_DVWA["SQLITE_DB"] = "sqli.db";By default it uses the file database/sqli.db, if you mess it up, simply copy database/sqli.db.dist over the top.
The challenges are exactly the same as for MariaDB, they just run against SQLite3 instead.
Thanks for all your contributions and keeping this project updated. β€οΈ
If you have an idea, some kind of improvement or just simply want to collaborate, you are welcome to contribute and participate in the Project, feel free to send your PR.
To put it simply, please don't!
Once a year or so, someone will submit a report for a vulnerability they've found in the app, some are well written, sometimes better than I've seen in paid pen test reports, some are just "you are missing headers, pay me".
In 2023, this elevated to a whole new level when someone decided to request a CVE for one of the vulnerabities, they were given CVE-2023-39848. Much hilarity ensued and time was wasted getting this corrected.
The app has vulnerabilities, it is deliberate. Most are the well documented ones that you work through as lessons, others are "hidden" ones, ones to find on your own. If you really want to show off your skills at finding the hidden extras, write a blog post or create a video as there are probably people out there who would be interested in learning about them and about how your found them. If you send us the link, we may even include it in the references.
Project Home: https://github.com/digininja/DVWA
Created by the DVWA team