What is it?
Welcome to our test drive – this document will provide you with the information you need to get the most out of Damn Vulnerable Web App (DVWA) test drive in Azure.
Get your test drive here:
DVWA is a PHP/MySQL web application, whose main goal is to be an aid for security professionals to test their skills and tools in a legal environment. We have tried to make the deployment of the DVWA as simple as possible and have built a feature add-on that can be easily applied to the edgeNEXUS ALB-X load balancer.
The ALB-X has the ability to run containerised applications that can be join together directly or by using the load balancer proxy. This image has 1 already deployed Add-On but you can always go to Appstore the and deploy more.
Virtual machines deployed in the Azure cloud make use of private internal IP addressing (NAT’ed IP’s) in the same way as would be deployed in a standard data centre environment. To gain access to the resource via the public internet a NAT function is performed from the allocated Public IP address to the Private IP address of the virtual machine. One IP address is allocated to the appliance and different ports are used to access the different resources. The diagram below shows how the different functions communicate.
Docker host name / IP address and IP service connectivity
Add-On applications deployed on the ALB-X communicate with ALB-X through an internal docker0 network interface. They are automatically allocated IP addresses from the internal docker0 pool. A host name for each instance of Add-On application is configured through the ALB-X GUI prior to starting the application. The ALB-X is able to resolve the docker0 IP address for the application using this internal host name. Always use the host name when addressing the application containers – IP’s may change! IP services using the Azure eth0 private IP address are configured on the ALB-X to allow for external access to the add-on application. This enables the use of the ALB-X reverse proxy function to perform SSL offload and port translation where required. So these are all the open ports:
ALB-X GUI Management: 27376 DVWA: 80
Accessing the Test Drive GUI
When you request a test drive a new instance of the DVWA test appliance is created in Azure. Once it has started you will be advised the Internet host name to be able to access the Web GUI of the ALB-X platform also the unique user name and password combination. We recommend using the Chrome browser for this purpose. Access the Server
Click on Library in the left menu and select Add-Ons. Here you can see the DVWA Add-On that has been deployed on the ALB-X platform. It has been configured with a container or host name dvwa1 and you can see the 172.x.x.x dynamic docker0 IP address that was allocated when the application was started. Note in the Azure environment the Add-On GUI access buttons are not used. Feel free to click around the rest of the ALB-X GUI interface for familiarity.
Damn Vulnerable Web App
As it is the DVWA functionality that you are interested in it would make sense now to take a look at the DVWA GUI. The DVWA as you can see from the IP services naming runs on port 80. When you enter your test drive address in your browser you will be presented with the DVWA Setup page. Click on Create / Reset Database
Login to DVWA with default credential admin / password.
You should set the level to low by clicking on the DVWA Security menu selecting “Low“ from the drop down and clicking submit.
DVWA is now all primed and ready for use as a vulnerability test target.
We will try exploiting one of the DVWA vulnerabilities. As we can see there is a page in DVWA where we can ping any IP address. Let’s check whether DVWA performs input parameters validation in “Low” security mode. Enter “127.0.0.1; cat /etc/passwd” in the IP address input field. Voilà, we have successfully injected an arbitrary command and got a list of users registered in the operating system. There are many online resources about using DVWA which may help improve your web application security skills. We welcome your feedback and would be glad to assist with setting up your own production WAF implementation. For assistance please mail firstname.lastname@example.org