DVWA Medium Level Vulnerabilities

Report Title: Exploiting vulnerabilities of Damn Vulnerable

Web Application at medium level

Author: Ansh. G. Gadhia

Roll No: 11

Date: Apr’ 01 2025

Email ID: [email protected]

LinkedIn ID: linkedin.com/in/ansh-gadhia

Author Note

This Research was conducted as part of cybersecurity training. No external funding was involved in this
study. Correspondence concerning this report should be addressed to Ansh Gadhia at
[email protected] .
 DVWA Medium Level 2

Table of Contents
Table of Contents ......................................................................................................................................... 2
Executive Summary ...................................................................................................................................... 3
Aim ............................................................................................................................................................ 3
Abstract ..................................................................................................................................................... 3
Purpose of Report ..................................................................................................................................... 3
Introduction .................................................................................................................................................. 4
Overview ................................................................................................................................................... 4
Objective .................................................................................................................................................. 5
Accessing and Setting up DVWA .................................................................................................................. 5
Configuring Security level ......................................................................................................................... 6
Exploitation Methodology ........................................................................................................................... 7
Setting up Proxy for Burp Suite ................................................................................................................. 7
Brute Force Credentials ................................................................................................................................ 8
Command Execution Exploit ...................................................................................................................... 10
File Inclusion Vulnerability ........................................................................................................................ 12
SQL Injection Vulnerability ........................................................................................................................ 13
Blind SQL Injection Vulnerability ............................................................................................................... 15
File Upload Vulnerability............................................................................................................................ 17
Reflected XSS Vulnerability ........................................................................................................................ 20
Stored XSS Vulnerability ............................................................................................................................ 22
Conclusion .................................................................................................................................................. 24
 DVWA Medium Level 3

Aim

The aim of this report is to analyze and exploit vulnerabilities in the Damn Vulnerable Web

Application (DVWA) at Medium Security Level hosted on Metasploitable 2, demonstrating common

web security flaws and their mitigation techniques.

Abstract

This report explores DVWA, a deliberately vulnerable web application used for ethical hacking

and penetration testing practice. The primary focus is on Medium Security Level, where security

measures are implemented but still contain exploitable flaws. The study involves identifying and

exploiting vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), Command Injection, and CSRF

while evaluating their impact. Additionally, countermeasures are discussed to reinforce web application

security against real-world cyber threats.

Purpose

1. Understanding Web Vulnerabilities – To gain hands-on experience in identifying and exploiting

security flaws in web applications.

2. Security Analysis of DVWA (Medium Level) – To analyze how security mechanisms affect attack

execution and how attackers can still bypass them.

3. Testing Penetration Techniques – To explore methods like SQL Injection, XSS, CSRF, and

Command Injection at a controlled security level.

4. Mitigation Strategies – To suggest security best practices for preventing web-based attacks.

5. Enhancing Cybersecurity Skills – To develop a deeper understanding of ethical hacking, web

security testing, and vulnerability mitigation.

 DVWA Medium Level 4

Introduction

Overview

Damn Vulnerable Web Application (DVWA) is a deliberately insecure web application designed

for security professionals, researchers, and students to practice penetration testing and understand

common web vulnerabilities. This report focuses on analysing DVWA at Medium Security Level, hosted

on Metasploitable 2, an intentionally vulnerable virtual machine running on port 80.

Fig 1 Vulnerable Web applications on Metasploitable 2.

Metasploitable 2 provides multiple vulnerable web applications, including DVWA, Mutillidae,

phpMyAdmin, and WebDAV, which serve as a testing ground for cybersecurity assessments. Within

DVWA, the security level is set to Medium, where basic security mechanisms are implemented but can

still be bypassed with the right techniques. Access to DVWA is obtained through a login page that

accepts default credentials (admin:password).

 DVWA Medium Level 5

Fig 2 Default Login of DVWA.

Objective

The primary goal of this report is to explore vulnerabilities in DVWA (Medium Level) by

performing penetration testing on various modules, including:

1. SQL Injection – Testing database security and unauthorized data access.

2. Cross-Site Scripting (XSS) – Exploiting client-side script injection.

3. Command Injection – Executing system commands via web input fields.

4. CSRF (Cross-Site Request Forgery) – Forcing unauthorized actions on authenticated users.

5. File Inclusion & Upload Exploits – Bypassing security to execute arbitrary scripts.

Steps to Set Up DVWA and Configure Medium Security Level

1. Access Metasploitable 2

• Ensure Metasploitable 2 is running in a virtualized environment.

• Open a web browser and navigate to http://<Metasploitable_IP> (e.g., http://192.168.23.132).

• Click on DVWA from the list of available web applications.

DVWA Medium Level 6

2. Log in to DVWA

• Use the default credentials:

o Username: admin

o Password: password

• Click Login to access the DVWA dashboard.

Fig 3 DVWA Current Security Configuration.

3. Configure Security Level

• Navigate to DVWA Security from the left sidebar.

• In the Script Security section, locate the Security Level dropdown menu.

• Select Medium from the dropdown.

• Click Submit to apply the changes.

4. Verify the Security Level

• After submitting, the page will refresh, displaying "Security level set to medium" at the bottom.

• Ensure PHPIDS (PHP Intrusion Detection System) remains disabled for unrestricted testing.
DVWA Medium Level 7

Exploitation Methodology

Setting up Burp Proxy for DVWA

1. Open Burp Suite

• Launch Burp Suite in your system.

• Select Temporary Project → Click Next → Start Burp.

2. Configure Burp Proxy Listener

• Go to Proxy → Options tab.

• Ensure a proxy listener is active on 127.0.0.1:8080 (default).

• If no listener is available:

o Click Add, set the bind address to 127.0.0.1, port 8080, and click OK.

Fig 4 Proxy Tab in Burpsuite.

3. Set Up Browser Proxy

• Open Firefox (recommended for easy proxy configuration).

• Navigate to Settings → Network Settings → Manual Proxy Configuration.

• Set:

o HTTP Proxy: 127.0.0.1

o Port: 8080

o Check Use this proxy server for all protocols.

• Click OK to save settings.

 DVWA Medium Level 8

4. Test Proxy Interception

• In Burp, go to Proxy → Intercept tab and ensure Intercept is ON.

• Open http://192.168.23.132/DVWA/ in Firefox.

• The request should be intercepted in Burp Suite.

• Forward the request or turn Intercept OFF for seamless browsing while capturing requests in
HTTP history.

Brute-Force Vulnerability Attack on Login Panel

1. Identifying the Target

• Accessed the Brute Force Vulnerability tab on the web application.

• Entered test credentials such as admin:admin to observe login behavior.

Fig 5 Brute force vulnerability page.

1.1 Intercepting the Request

• Used Burp Suite to intercept the login request.

• Examined the HTTP request to identify key parameters such as username and password.

1.2 Analysing the Response

• Observed the server response indicating authentication failure.

• Noted the structure of failed login attempts to detect possible attack vectors.
 DVWA Medium Level 9

Fig 7 A Failed login attempt.

Fig 6 Analysing the request captured by Burp.

1.3 Sending the Request to Intruder

• Forwarded the intercepted request to Burp Suite Intruder.

Fig 9 Setting Payload Positions.

Fig 8 Sending request to Intruder tab in BurpSuite.

• Configured password as the payload position while keeping the username constant as admin.

1.4 Executing the Attack

• Loaded a wordlist in the Intruder payload settings for brute-force testing.

• Started the attack, sending multiple login attempts with different passwords.

1.5 Identifying the Correct Password

• Examined the response lengths in Intruder’s results.

• Noticed that one request had a different response length, indicating successful authentication.
 DVWA Medium Level 10

Fig 10 Suspicious credential.

1.6 Gaining Access

• Used the retrieved credentials admin:[password] to successfully log into the system.

• Verified access to the target application, confirming the vulnerability.

Fig 11 Brute Force was successful.

Command Execution Vulnerability Exploitation

2. Identifying the Vulnerability

• On navigating to the Command Execution section in DVWA, where a web form allowed users to
input an IP address to perform a ping operation.
• When an IP was entered, the server executed the ping command and displayed the output.

2.1 Testing for Command Injection

• To test for command injection, the input was modified by appending | ls (e.g., 192.168.23.129 |
ls).
 DVWA Medium Level 11

Fig 12 Free Ping page from DVWA.

• Instead of restricting the input to only ping commands, the application executed the ls
command, revealing the contents of the web directory.

Fig 13 Arbitrary Command Execution.

2.2 Verifying Arbitrary Command Execution

• The output confirmed that ls was successfully executed, displaying files such as index.php and
source, indicating that user-controlled input was being executed directly on the system.
• This vulnerability allows an attacker to run arbitrary system commands, potentially leading to
full system compromise. If further exploited, it could allow access to sensitive files, privilege
escalation, or remote code execution.
 DVWA Medium Level 12

Exploiting File Inclusion Vulnerability in DVWA

3. Identifying the Vulnerability

• Navigated to the File Inclusion section of DVWA.

Fig 14 File Inclusion Section homepage.

• The page suggested modifying the ?page= parameter in the URL to include different files.

3.1 Testing Local File Inclusion (LFI)

• Attempted to load index.php using ?page=index.php, which resulted in a Fatal error: Allowed
memory size exhausted. This suggested that the application was trying to include a large file or
was stuck in a loop.

Fig 15 Error while accessing index.php.

3.2 Exploiting LFI to Read Sensitive Files

• Used a path traversal payload to access /etc/passwd:

| ?page=../../../../etc/passwd

• Successfully retrieved the contents of /etc/passwd, confirming the LFI vulnerability.

• This file contains crucial system user information, which could be used for further attacks like
user enumeration or privilege escalation.
 DVWA Medium Level 13

Fig 16 Webpage leaking the contents of /etc/passwd.

Exploiting SQL Injection Vulnerability

4. Identifying the Vulnerability

Fig 17 Vulnerability parameter for SQLi.

• The target was a simple webpage with a text box that accepted an ID number and displayed the
corresponding user's details.
• Entering a valid ID (e.g., 1) returned expected user information.

Fig 18 Valid basic info for user with ID 1.

 DVWA Medium Level 14

4.1 Initial SQL Injection Test

• Tried entering 1' OR '1'='1, but it resulted in an error due to character filtering.

Fig 19 Error giving us a hint of blacklist filter.

• Observed that the application was filtering each special character with a /, likely using a
blacklist-based filtering approach.
4.2 Bypassing Input Filtering
• Entered 1 OR 1=1, which successfully bypassed filtering and returned all user details, confirming
SQLi vulnerability.

Fig 20 All users of the database.

4.3 Extracting Sensitive Data via UNION-Based SQL Injection

Fig 21 Final Credential Leak from the query.

 DVWA Medium Level 15

• Used the following payload to extract usernames and passwords from the database:
| 1 UNION SELECT user,password FROM users –
• This query successfully retrieved all usernames and their corresponding passwords, leading to
the compromise of sensitive credentials.

Blind SQL Injection Exploitation

Overview

Blind SQL Injection occurs when the web application does not directly display query results but
still interacts with the database. Attackers use time-based or boolean-based techniques to extract
information. In this case, DVWA had a blind SQLi vulnerability in the user lookup page.
5. Identifying the Vulnerability

• The page contained an input box to retrieve user details based on an ID.

• Unlike the previous SQL Injection page, no direct database errors or outputs were visible.

• However, the submitted query appeared in the URL, hinting at potential SQL injection.

5.1 Using SQLMap for Automated Exploitation

Initial Request

• Copied the vulnerable request URL:

| http://192.168.23.132/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#
• Attempted to run SQLMap:
| sqlmap -u "http://192.168.23.132/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" –dbs

Fig 22 Attempting SQLmap with no cookie.

• This failed because it redirected to the DVWA login page due to missing authentication.
 DVWA Medium Level 16

5.2 Bypassing Authentication

• Extracted session cookies from browser:
| security=medium; PHPSESSID=f9cea4e4b3314ec27c1684e42dfabbe5
• Used SQLMap with the session cookie:
| sqlmap -u "http://192.168.23.132/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --
cookie="security=medium; PHPSESSID=f9cea4e4b3314ec27c1684e42dfabbe5" –dbs

Fig 23 SQLmap query with cookie bypassing the authentication.

• Successfully retrieved the 7 available databases in which dvwa seemed the desired database.

Fig 24 List of available databases.

5.3 Extracting Database Structure

• Identified the DVWA database.
• Retrieved its tables using:
| sqlmap -u "http://192.168.23.132/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --
cookie="security=medium; PHPSESSID=f9cea4e4b3314ec27c1684e42dfabbe5" -D dvwa –tables
• Found users and guestbook tables.
• Attackers can extract sensitive database information which contains credentials which if leaked
can lead to account takeovers.
 DVWA Medium Level 17

Fig 25 Retreiving tables from the database dvwa.

Fig 26 Tables from the database containing credentials.

File Upload Vulnerability Exploitation

The file upload vulnerability allows an attacker to upload malicious files to a server, potentially
leading to remote code execution (RCE). In this case, DVWA restricted uploads to JPEG images, but by
bypassing the file type filter, a PHP web shell was successfully uploaded.
6. Identifying the Upload Restriction
• The upload page only allowed JPEG image files.
• Attempted to upload b374k.php (a PHP web shell).
• The upload failed with a "Cannot modify header information" error.
DVWA Medium Level 18

Fig 27 File upload page with image only restriction.

Fig 28 Error since the uploaded file was a php file not jpeg.
• Viewing the source code of the page revealed that it strictly checked for .jpeg file extensions.

Fig 29 Source code of the web application.

6.1 Bypassing the File Type Restriction

Initial Attempt: Renaming the PHP File
 DVWA Medium Level 19

• Renamed b374k.php → b374kimage.jpeg.

• Successfully uploaded the file but accessing it at /hackable/uploads/ resulted in an error.

Fig 30 Error on accessing the php after rename.

Advanced Bypass: Modifying the Upload Request

• Used Burp Suite to intercept the file upload request.

Fig 31 Modifying request in burp suite.

• Modified the request to bypass the content-type filter while keeping the .php extension.
• Successfully tricked the server into accepting the PHP file.

Fig 32 PHP shell file successfully uploaded.

• The file was uploaded to /hackable/uploads/b374kimage.php.

6.2 Gaining Shell Access
• Accessed the web shell via:
| http://192.168.23.132/hackable/uploads/b374kimage.php
• The b374k web shell interface loaded successfully.
 DVWA Medium Level 20

Fig 33 b374k interface.

Fig 34 www-data user accessed.

• Used the shell tab to execute whoami.

• Verified that shell access was successfully obtained.
• Attackers can upload malicious scripts and gain remote access to the server which may lead to
data theft.

Reflected Cross-Site Scripting (XSS) Exploitation

Reflected XSS occurs when user input is immediately reflected in a webpage without proper
sanitization, allowing attackers to execute malicious JavaScript in a victim’s browser.
7. Identifying the Input Field
• Found a text input box that echoed back the entered text.
• Tried the basic XSS payload:
 DVWA Medium Level 21

| <script>alert(0)</script>
• Failed because the site filtered <script> tags.
7.1 Bypassing the Filter

Fig 35 Source code which eliminates <script> from input.

• Analyzed the source code and discovered case-sensitive filtering (it only replaced lowercase
<script>).
• Attempted uppercase bypass:
| <SCRIPT>alert(0)</SCRIPT>
• Triggered the JavaScript alert box with 0.
• Attackers can steal session cookies, execute keyloggers, or perform phishing attacks.

Fig 36 Reflected XSS alert.

 DVWA Medium Level 22

Stored Cross-Site Scripting (XSS) Exploitation

Stored XSS is a vulnerability where malicious JavaScript is stored on the server and executed
whenever a user loads the affected page. In this case, I tested a guestbook feature in Damn Vulnerable
Web Application (DVWA), which allowed users to enter names and messages.

Fig 37 Guestbook memo having Stored XSS Vulnerability.

8. Identifying the Vulnerable Page

• The guestbook page had two input fields:
1. Name field (with a character limit).
2. Message field (which trims input before storing it).

Fig 38 Analyzing the Source Code.

8.1 Initial XSS Attempts

• I first attempted a simple XSS payload in the message field:
| <script>alert(0)</script>
• Failed because the input was trimmed.
 DVWA Medium Level 23

Fig 39 Putting basic XSS alert script.

• I then tried an alternative payload in the message field:
| <img src="x" onerror="alert('popup');">

Fig 40 Trying different XSS payload.

• Failed as it was also trimmed.

8.2 Bypassing the Input Restrictions
• Since the message field was filtering input, I inspected the page source code.
• Found that the Name field had a character limit but no strict filtering for special characters.
• Bypassed the limit using browser DevTools (Inspect Element) to increase the allowed
character count.

Fig 41 Removed character limit restriction.

8.3 Successful Stored XSS Injection

• Injected a basic XSS payload into the Name field:

| <script>alert(0)</script>

• Successfully stored the payload .

 DVWA Medium Level 24

Fig 42 Alert Popup whenever the page reloaded.

• Whenever the page reloaded, the alert popped up, proving XSS execution.

• The script was stored persistently in the database.

• Any user visiting the page triggered the malicious script.

Conclusion

This report demonstrated various security vulnerabilities in DVWA (Medium Security Level),

highlighting their exploitation methods and potential risks. The findings include brute force attacks,

command execution, SQL injection, file inclusion, file upload exploitation, and cross-site scripting

(XSS). Each of these vulnerabilities poses significant threats, such as unauthorized access, data leakage,

and remote code execution.

The successful exploitation of these vulnerabilities emphasizes the critical need for secure

coding practices and proactive security measures. Implementing input validation, parameterized

queries, strict file upload controls, and XSS protections can effectively mitigate these risks. This

assessment underscores the importance of regular security testing and vulnerability management to

ensure the robustness of web applications against cyber threats.