In order to prevent brute force, the high.php introduces sleep(3);. However, using parallel threads it is still possible to brute force this implementation. As the low.php is showing an sql injection instead of a brute force I would recommend the following:
implement something like this in low.php (pseudocode):

$user = mysql_real_escape_string( $_GET['user'] );
if (!mysql_query ("`users` contains $user …")) {
    echo "Username does not exist!";
} else {
    $password = $_GET['password'];
    /* do password stretching */
    for($i=0;$i<1024;$i++){
        $password = sha512sum($password);
    }
    $stored_password = mysql_query ("SELECT password FROM `users` WHERE user = '$user'");
    if ($stored_password != $password) {
        echo "Password incorrect!";
    }
}

I would propose the following for medium.php

$user = mysql_real_escape_string( $_GET['user'] );
if (!mysql_query ("`users` contains $user …")) {
    echo "Username or Password incorrect!";
} else {
    $password = $_GET['password'];
    /* do password stretching */
    for($i=0;$i<1024;$i++){
        $password = sha512sum($password);
    }
    $stored_password = mysql_query ("SELECT password FROM `users` WHERE user = '$user'");
    if ($stored_password != $password) {
        echo "Username or Password incorrect!";
    }
}

And the following for high.php

/* This solution has the drawback, that an attacker may:
 *   1. Lock known accounts for 1 Minute (problematic if login
 *      function is availability-critical, e.g., online-auctions)
 *   2. Flood the bruteforceusers database with dummy-entries 
 *      (may be flushed with a cronjob)
 * For a longer discussion you might want to read:
 *   https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
 */
$user = mysql_real_escape_string( $_GET['user'] );
$account_lock_time = mysql_query("SELECT account_lock_time FROM `bruteforceusers` WHERE user = '$user'");
if ($account_lock_time < current_time() - 60) {
    $password = $_GET['password'];
    /* do password stretching */
    for($i=0;$i<1024;$i++){
        $password = sha512sum($password);
    }
    $stored_password = mysql_query ("SELECT password FROM `users` WHERE user = '$user'");
    $wrong_attempts = mysql_query("SELECT wrong_attempts FROM `bruteforceusers` WHERE user = '$user'");
    if (!mysql_query ("`users` contains $user …") || $stored_password != $password) {
        echo "Username or Password incorrect!";
        $wrong_attemts++;
        mysql_query("UPDATE `bruteforceusers` SET wrong_attemts = $wrong_attemts WHERE user = '$user'");
        if ($wrong_attemts > 5) {
            mysql_query("UPDATE `users` SET account_lock_time = " . current_time() . " WHERE user = '$user'");
            echo "This account has been locked for 1 Minute!";
        }
    } else {
        echo "There were $wrong_attemts wrong password attempts since your last login";
        mysql_query("UPDATE `bruteforceusers` SET wrong_attemts = 0 WHERE user = '$user'");
    }
} else {
    echo "This account has been locked for 1 Minute!";
}

Fatal error: Call to undefined function dvwaExternalLinkUrlGet() in C:\xampp\htdocs\dvwa\vulnerabilities[Insert Vuln Here]\help\help.php on line 33

It does this for all php files that use this function >:(

I have all the files in /var/www/ but it wont pull up the local host? Looks like this has been a common problem on the tutorial I'm watching on Udemy. Thanks

I don‘t know why that my user_taken and session_token always unequal...So I can't create my dbs

when I change the code "$_SESSION[ 'session_token' ] = md5( uniqid() )" to "$_SESSION[ 'session_token' ] = md5('a')", this worked。

I guess this porblem is “uniqid()”.

the first one actually is interesting. If you have DVWA, just in your HDD. this can lead to RCE, interesting exploit

Others are unintended too. :)
http://paulosyibelo.blogspot.com/2014/09/dvwa-unintended-security-issues.html

Hi, I have a issue with CAPTCHA key, even after copying the right & inserting it to public & server it still says could not Could not connect to the MySQL service. Please check the config file. & how to fix
Writable file /var/www/html/DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: No
kindly suggest me a fix.

I really do not know how to enable shell_exec for command injection, plz help

Hi,
I am unable to login with the default username admin and password password. it keeps redirecting me to the login page. I used the setup page to create dvwa database and it was successful as i could see tables in the dvwa database. I also change all the permission to 777 to ensure it is not a permission issue

Not sure what else i can try, can someone please assist?

I might be wrong here, but I think that the "SQL Injection (Blind)" section in dvwa is just a regular SQL Injection vulnerability.

According to DVWA what makes a SQLi vulnerability to be blind is not showing SQL error messages to the user.

Showing the SQL error messages to the user is just: a SQL injection vuln + a misconfiguration issue.

A blind SQL injection might occur when the columns of the results returned by a query are not shown to the user. However, the user can tell somehow if the query returned any records or none.
E.g.: Suppose the url "http://www.example.com/user?id=USER_ID" returns:

• 200 if USER_ID exists
• 404 if USER_ID not exists

But it won't show any information from the query results (e.g. username, address, phone, etc)

If the page is vulnerable to SQLi, an attacker won't be able get info from the DB printed in the result page, but he might be able to infer it by asking yes/no questions.

E.g. if user id 1 exits:

• ?id=1 and 1=1: will return 200
• ?id=1 and 1=2: will return 404

of course the attacker doesn't need to ask the DB if 1=1 or 1=2 (he can ask a calculator that), but he might ask more interesting yes/no questions like:

• is the length of the admin's password greater than 5?
• is the length of the admin's password equal to 10?
• is the first char of the admin's password greater than 'm'
• is the first char of the admin's password equal to 'r'
• is the second char of the ...

I suggest you add a real blind sql injection section in DVWA. While displaying or not SQL errors can be just a difference between the security=low and security=medium levels of the regular SQL Injection section.

More info:
https://www.owasp.org/index.php/Blind_SQL_Injection
http://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection

I am using DVWA 1.0.8 and 1.0.7 respectively but doing all my effort and follows all the recommendation i got and error message after typing Username and Password that is Table 'dvwa.users' does'nt exist. Please help me if anybody solved it earlier. Or send me any file or description at: [email protected]

I've tried to install dvwa on kali linux, ubuntu and windows but for some reason i cant get it to work.
Everything's fine and the installation goes smoothly, but when im about to connect to 127.0.0.1/dvwa/setup.php i get a blank page, its the same at login.php.

I dont understand what the matter is, i've seen other people with the same problem recently but without some solution.

I would appreciate some help on this matter.

I want to know why in the file login.php there isn't any conditional statement to use PostgreSQL as the database instead of MySQL, I can only see the PHP function mysql_query() but not pg_query() when the application is trying to register the login action.

$ tree dvwa/includes/DBMS/
dvwa/includes/DBMS/
├── DBMS.php
├── MySQL.php
└── PGSQL.php
0 directories, 3 files

Bonjour Misure, just noticed something odd. I was able to bypass the filtering on command injection with security token set to HIGH using a simple '|'. Took a look at the source and it seems you have a stray white space in the pipe filter (see below).

if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = trim($_REQUEST[ 'ip' ]);

// Set blacklist
$substitutions = array(
    '&'  => '',
    ';'  => '',
    '| ' => '',
    '-'  => '',
    '$'  => '',
    '('  => '',
    ')'  => '',
    '`'  => '',
    '||' => '', 

Hi,

I have tried to set up DVWA on Kali Linux 2, mysql and apache2 are both running but the webpage states that 'Sever not found'. Any ideas?

Thanks,
Shane

I am using XAMPP web server, and it is working well. Only, I do not know why "localhost" is loading the setup.php and not the login.php. When I remove "setup.php" from the URL and replace it with "login.php", the URL is flipping back to "setup.php".
So, I tried already to reinstall DVWA - XAMPP - MySql -PHP5, etc, but always the same problem occurs.
What can I do to change in a good direction?
Anyone can help?
Thanks !

To all who can help.

I've seen this issue has been posted before however, there has not been any resolution. I installed DVWA on XAMPP but, when I try to go to localhost/dvwa in the browser it sends me to the localhost/dvwa/login.php web page which is blank. I've manually typed localhost/dvwa/setup.php in the browser and that page comes up fine. So does, instructions.php and about.php. Can anybody help me with this issue.

More info:

Setup Check is showing the following information. Should some of the processes that are coming up as disabled be enabled. If so, how can I resolve this issue?

Operating system: Windows
Backend database: MySQL
PHP version: 5.6.19

Web Server Server_Name: localhost

PHP function display_error: Enabled (Easy Mode!)
PHP function safe_mode: Disabled
PHP function allow_url_include: Disabled
PHP function allow_url_fopen: Enabled
PHP function magic_quotes_gpc: Disabled
PHP module php-gd: Instaled

reCAPTCHA key: Missing

Writable folder C:\xampp\htdocs\dvwa/hackable/uploads/: Yes)
Writable file C:\xampp\htdocs\dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: Yes

DVWA was installed on a system running Windows 8

It would be great a redirection to the file setup.php if the installation process was not started. I have this little piece of code checking in the information schema database if the table users exists in the database specified in the configuration file.

Only works with MySQL database.

$ diff login.php login.php.fork 
22a23,31
>   $users_exists_q = @mysql_query("SELECT table_schema, table_name, create_time
>       FROM information_schema.tables
>       WHERE table_schema='{$_DVWA['db_database']}' AND table_name='users'
>       LIMIT 1");
>   if( !mysql_fetch_assoc($users_exists_q) ){
>       header('Location: setup.php');
>       exit;
>   }
>

I'm able to access 127.0.0.1/dvwa/setup.php but login.php as well as every other page is blank. I've searched up on the issue and only one other person has this issue. Any ideas on what I might have done wrong?

I'm running on Backbox, both mysql and apache2 are running.

Upload file vulnerability won't work (Low security, PHPIDS disabled).
Iv'e tried everything, I've been on this for 3 days now, 16 hours a day.
I reinstalled localhost machine (running CentoOS) multiple times (tried 7 and 6), tried multiple php and mysql version, tried change all server files permissions to chmod 777, tried just /var/www chmod 777, tried disabling SELinux, tried disabling IPtables, nothing, absolutely nothing works!
doesn't matter if everything is running as root or not, it just won't work.I've also tried multiple web admin panels and multiple apache configs, nothing.
I've seen this issue posted here before, but fix wasn't explained.
Also, there is absolutely nothing in the logs! (Both error and access logs).
Help please! Thanks.

Hey,

I have talked with @ethicalhack3r and made changes to DVWA. fixing major unintended holes and some others that explained in http://www.paulosyibelo.com/2014/09/dvwa-unintended-security-issues.html

Other than that, fixed the Rosetta Flash attack for the high level, added some extra protection layers as a "high" level, and modified the graphics a lot.

I personally don't know how to use github to pull a request (embarrassed); neither do I have time. contacted ryan and he told me the same thing so, we were hoping some from here can do that for me and pull the newest, cooler, DVWA.

Here: can you try https://www.dropbox.com/s/s0t8rjm4vhlkllu/dvwa-final.zip?dl=0

Thanks,

In low.php (line 7 and 8) and medium.php (line 6 and 7) for the captcha vulnerability, it gets the new password and confirmation of password and assigns these values to variables.

But this only happens for step 1.
In step 2, these two variables $pass_new and $pass_conf are always blank when it is written to the database.

Hi Guys, can you step me through how I get the SQL injection working with the latest version of XAMPP (1.8.3).

If I modify .htaccess per the readme I get a Error 500 loading the page

cheers

I'm using DVWA 1.0.7 and I'm experiencing a strange issue. The security
settings for XSS Stored page are always set to "High" no matter what I do.
I've tried changing them to low and it works for every other page but that
one.

I've restarted Apache and MySQL with no luck. I'm on Mountain Lion 10.9.2
using XAMMP 1.8.3-3.

hi I have a setup problem and I dont understand this problem "status in red " please help
i use xampp server 3.2.2

How to use live CD? Can I use it through USB Flash drive? Does it work if simply copy and paste the contents of the iso file? Does it work in windows?

I can't troubleshoot this issue. I have a status PHP function allow_url_include: Disabled but my php.ini file is set to :on

Any ideas?

Hi,
Even after giving priviledges to upload folder, we were not able to upload any image file or php file. Then we modified the code and everything started to work fine. Is there any other solution to this? If you are facing similar issue in upload. Just copy and past our code into your low.php file in this directory
/var/www/dvwa/vulnerabilities/upload/source and everything will work fine.
You might need to modify the $target_path according to your OS

';
            $html .= ' succesfully uploaded!';
            $html .= '

I've been trying to install DVWA in a Debian 8 server and it looks that it wont connect to the database no matter what.

After some digging I foundthat you are using the "mysql" driver instead of "mysqli". The "mysql" driver is deprecated so it wont work on any modern GNU/linux distribution. (http://php.net/manual/en/function.mysql-connect.php)

Would it be possible to update to "mysqli" so this suite can be used with PHP >= 5.5 ?

Thanks!

It said in the instructions that the IP of DVWA was http://127.0.0.1/dvwa. Nothing shows up. I put the uncompressed file into the XAMP folder they told me to.

I believe that the session should not be able to be set via client side techniques when you are running in high secure mode.

"Unable to connect to the database.
mysql_error()
Click here to setup the database. "

I upload the web and that is all what it says when i open it.
If i click "here", it takes me to this:

"Click on the 'Create / Reset Database' button below to create or reset your database. If you get an error make sure you have the correct user credentials in /config/config.inc.php

If the database already exists, it will be cleared and the data will be reset.

Backend Database: MySQL "
and if i hit on the 'Create / Reset Database' it tells: Could not connect to the database - please check the config file.

I dont know what to do, im so newbie. Please help

Typographic error.
After the conversion of the files Readme.txt and Changelog.txt from the Subversion repository to the Git repository, you missed a change in the file instructions.php where are specified the path to load the files README.md and CHANGELOG.md.

$ diff instructions.php instructions.php.fork
13,14c13,14
<   'readme' => array( 'legend' => 'Read Me', 'file' => 'README.txt' ),
<   'changelog' => array( 'legend' => 'Change Log', 'file' => 'CHANGELOG.txt' ),

---
>   'readme' => array( 'legend' => 'Read Me', 'file' => 'README.md' ),
>   'changelog' => array( 'legend' => 'Change Log', 'file' => 'CHANGELOG.md' ),

i unzip the app on a default nginx install on arch linux
getting error 500 when clicking on the setup/reset database :/
php info works... i also followed this to make sure:
http://hackthistv.com/blog/how-to-install-dvwa-on-ubuntu-server-14-04/

Hi,I followed all instructions and I have read all fixes and I modified the config file hundred times but I still can't connect to the database.

What about adding a padding oracle vulnerability ?
I'd be willing to write it if you think it would bring value.

I've just scanned DVWA with Wfuzz and it found the /config directory and as directory indexing is enabled I can see the config.inf.php file but obviously can't read the contents as it is parsed by php.

It would be nice to have a "backup" of the file with .bak or .old in there that could be discovered as another vulnerability.

i cant generate the database, every time i click the button i get the message "Could not connect to the database - please check the config file."

this does not work on php 7 (xammp)..
work perfect on php 5.6 below

I have done everything seen in guides and everytime (even on low security), it dosn't upload the file.

Could not connect to the database.
Please check the config file.

This is error message I am receiving from DVWA. I am using XAMMP v 5.6.19-0. I have the password in the config file set to '', using root as username. I have looked for a solution to the issue but I appear to be on my own on this one. I am running OSX 10.11.3 Not sure what else to tell you Thanks for any help,
Charles

If the setup page gives a warning about something then give a link or help baloon which gives information on fixing the problem. The one I've just had is this

PHP function allow_url_include: Disabled

So the help would either say "go to php.ini and set X" or just point them at this page:

http://php.net/manual/en/filesystem.configuration.php

There are several points in the application where directory traversal is possible.
For example /vulnerabilities/view_source.php?id=csrf&security=../../../config/config.inc will reveal the configuration of the application.

These vulnerabilities are found in:
vulnerabilities/view_help.php (14)
vulnerabilities/view_source_all.php (12, 16, 20)
vulnerabilities/view_source.php (56)
the parameters id and security are not sufficiently validated.

Probably this was not an intended vulnerability.

*Getting Error after clicking on Create and reset database button
*
Fatal error: Uncaught Error: Call to undefined function mysql_connect() in C:\xampp\htdocs\DVWA\dvwa\includes\DBMS\MySQL.php:9 Stack trace: #0 C:\xampp\htdocs\DVWA\setup.php(17): include_once() #1 {main} thrown in C:\xampp\htdocs\DVWA\dvwa\includes\DBMS\MySQL.php on line 9

Could any 1 can help to reslove this issues

Detail
Setup Check
Operating system: Windows
Backend database: MySQL
PHP version: 7.0.4

Web Server SERVER_NAME: 127.0.0.1

PHP function display_errors: Enabled (Easy Mode!)
PHP function safe_mode: Disabled
PHP function allow_url_include: Enabled
PHP function allow_url_fopen: Enabled
PHP function magic_quotes_gpc: Disabled
PHP module php-gd: Installed

reCAPTCHA key: --------

Writable folder C:\xampp\htdocs\DVWA/hackable/uploads/: Yes)
Writable file C:\xampp\htdocs\DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: Yes

Status in red, indicate there will be an issue when trying to complete some modules.

Apache Server not Connecting, MYSQL works, error says
8:30:50 AM [Apache] Status change detected: stopped
8:30:50 AM [Apache] Error: Apache shutdown unexpectedly.
8:30:50 AM [Apache] This may be due to a blocked port, missing dependencies,
8:30:50 AM [Apache] improper privileges, a crash, or a shutdown by another method.
8:30:50 AM [Apache] Press the Logs button to view error logs and check
8:30:50 AM [Apache] the Windows Event Viewer for more clues
8:30:50 AM [Apache] If you need more help, copy and post this
8:30:50 AM [Apache] entire log window on the forums

Please help!!

Hi everyone !

First of all, thanks for creating this great learning tool :) I've been playing with it for some time and had good time.

I'd like to use DVWA to learn some tools too. I'm able to access DVWA (which is installed on VM machine) externally, that is from other VM machines and for manual learning it works fine. However when I try to use for example some SQLi tools (jsql for example) and I'm targeting SQLI module I get response that it's not possible although security is set to low. I'm guessing the problem may be first login page - correct me if I'm wrong.

Is there a way to disable logging in requirement to make all labs "public" ?

Thanks in advance :)

-data'create db=create+%2F+Reset+Database' http://127.0.0.1/dvwa/setup.php# --cookie PHPSESSID=1
curl: option --datacreate db=create+%2F+Reset+Database: is unknown
curl: any idea to solve??

I have setup everything as instructed. I can see the /setup.php /instructions.php and /about.php pages but when I click on the create database button, I just get a blank screen.
The url it goes to after clicking create database is - http://localhost/dvwa/setup.php#

Nothing else happens, it doesnt take me to the login or anything. Any help would be great.

Getting error
Fatal error: Uncaught Error: Call to undefined function mysql_connect() in C:\xampp\htdocs\dvwa\dvwa\includes\dvwaPage.inc.php:461 Stack trace: #0 C:\xampp\htdocs\dvwa\login.php(8): dvwaDatabaseConnect() #1 {main} thrown in C:\xampp\htdocs\dvwa\dvwa\includes\dvwaPage.inc.php on line 461

I tried the given solution and numerous solutions available as well as my own.
None of them would give any output or results. Please confirm so this issue can be solved

Why the captcha form is hidden?

https://github.com/RandomStorm/DVWA/blob/master/vulnerabilities/captcha/index.php#L35

It would be good to be able to delete entries from the stored xss guestbook without having to go to the database. A button on each entry to remove it would be useful.