DVWA Online - Damn Vulnerable Web ApplicationDamn Vulnerable Web App Test Drive

 

What is it?

Welcome to our test drive – this document will  provide you with the information you need to get the most out of Damn Vulnerable Web App (DVWA) test drive in Azure.

Get your test drive here:

DVWA Online Trial, Damn Vulnerable Web Application Trial

DVWA is a PHP/MySQL web application, whose main goal is to be an aid for security professionals to test their skills and tools in a legal environment. We have tried to make the deployment of the DVWA as simple as possible and have built a feature add-on that can be easily applied to the edgeNEXUS ALB-X load balancer.

How

The ALB-X has the ability to run containerised applications that can be join together directly or by using the load balancer proxy. This image has 1 already deployed Add-On but you can always go to Appstore the and deploy more.

 

Connectivity Overview

Virtual machines deployed in the Azure cloud make use of private internal IP addressing (NAT’ed IP’s) in the same way as would be deployed in a standard data centre environment. To gain access to the resource via the public internet a NAT function is performed from the allocated Public IP address to the Private IP address of the virtual machine. One IP address is allocated to the appliance and different ports are used to access the different resources. The diagram below shows how the different functions communicate. DVWA Online, Damn Vulnerable Web Application

 

Docker host name / IP address and IP service connectivity

Add-On applications deployed on the ALB-X communicate with ALB-X through an internal docker0 network interface. They are automatically allocated IP addresses from the internal docker0 pool. A host name for each instance of Add-On application is configured through the ALB-X GUI prior to starting the application. The ALB-X is able to resolve the docker0 IP address for the application using this internal host name. Always use the host name when addressing the application containers – IP’s may change! IP services using the Azure eth0 private IP address are configured on the ALB-X to allow for external access to the add-on application. This enables the use of the ALB-X reverse proxy function to perform SSL offload and port translation where required. So these are all the open ports:

ALB-X GUI Management: 27376 DVWA: 80

Accessing the Test Drive GUI

When you request a test drive a new instance of the DVWA test appliance is created in Azure. Once it has started you will be advised the Internet host name to be able to access the Web GUI of the ALB-X platform also the unique user name and password combination.   We recommend using the Chrome browser for this purpose. Access the Server

https://host name:27376

As we use a local SSL certificate for the management access you will be prompted in your browser to accept the security alert. You will see the pre-configure IP services screen once you login.  

ALB-X Add-Ons

Click on Library in the left menu and select Add-Ons. Here you can see the DVWA Add-On that has been deployed on the ALB-X platform. It has been configured with a container or host name dvwa1 and you can see the 172.x.x.x dynamic docker0 IP address that was allocated when the application was started. Note in the Azure environment the Add-On GUI access buttons are not used. Feel free to click around the rest of the ALB-X GUI interface for familiarity.

 

Damn Vulnerable Web App

As it is the DVWA functionality that you are interested in it would make sense now to take a look at the DVWA GUI. The DVWA as you can see from the IP services naming runs on port 80. When you enter your test drive address in your browser you will be presented with the DVWA Setup page. Click on Create / Reset Database

  Login to DVWA with default credential admin / password.

You will now be logged into DVWA as admin. The default security level for DVWA is “Impossible” so it will not exhibit any vulnerabilities.

You should set the level to low by clicking on the DVWA Security menu selecting “Low“ from the drop down and clicking submit.

DVWA is now all primed and ready for use as a vulnerability test target.

Command Injection

We will try exploiting one of the DVWA vulnerabilities. As we can see there is a page in DVWA where we can ping any IP address. Let’s check whether DVWA performs input parameters validation in “Low” security mode. Enter “127.0.0.1; cat /etc/passwd” in the IP address input field. Voilà, we have successfully injected an arbitrary command and got a list of users registered in the operating system. There are many online resources about using DVWA which may help improve your web application security skills. We welcome your feedback and would be glad to assist with setting up your own production WAF implementation. For assistance please mail pre-sales@edgenexus.io