DVWA Example Report

This document contains security scan results from a DVWA (Damn Vulnerable Web Application) application review on June 20, 2017. It identifies three potential issues: 1) The use of eval() on line 6 of dvwaPage.js, which could be done more safely. 2) A shell_exec() call on line 26 of the high vulnerability file may allow shell injection if the $target variable is manipulated. 3) An update query on line 30 of the high vulnerability captcha file is vulnerable to SQL injection and needs to be addressed immediately.

Uploaded by

dbircs

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

299 views

DVWA Example Report

Uploaded by

dbircs

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2

DVWA

20 June 2017, 10:29 AM

\seval\s*\(

ID: 37 warn

/home/chris/src/DVWA-master/dvwa/js/dvwaPage.js:6

1: /* Help popup */
2:
3: function popUp(URL) {
4: day = new Date();
5: id = day.getTime();
6: eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,
7: }
8:
9: /* Form validation */
10:
11: function validate_required(field,alerttxt)

Questionable use of eval. Discuss with Engineering if this can be done more safely.

\sshell_exec\s*\(

ID: 175 warn

/home/chris/src/DVWA-master/vulnerabilities/exec/source/high.php:26

21: $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

22:
23: // Determine OS and execute the ping command.
24: if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
25: // Windows
26: $cmd = shell_exec( 'ping ' . $target );
27: }
28: else {
29: // *nix
30: $cmd = shell_exec( 'ping -c 4 ' . $target );
31: }

It looks like it may be possible to perform a shell-injection here. Discuss with Engineering whether $target could be manipulated maliciously.

\supdate
ID: 101 critical

/home/chris/src/DVWA-master/vulnerabilities/captcha/source/high.php:30

25: // CAPTCHA was correct. Do both new passwords match?

26: if( $pass_new == $pass_conf ) {
27: $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_strin
28: $pass_new = md5( $pass_new );
29:
30: // Update database
31: $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "' LIMIT 1;";
32: $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston
33:
34: // Feedback for user
35: $html .= "<pre>Password Changed.</pre>";

It looks very likely that the query executed on L32 is vulnerable to SQL injection. Discuss with Engineering immediately.

Hourglass Workout Program by Luisagiuliet 2
76% (21)
Hourglass Workout Program by Luisagiuliet 2
51 pages
12 Week Program: Summer Body Starts Now
87% (46)
12 Week Program: Summer Body Starts Now
70 pages
Read People Like A Book by Patrick King-Edited
57% (82)
Read People Like A Book by Patrick King-Edited
12 pages
Livingood, Blake - Livingood Daily Your 21-Day Guide To Experience Real Health
77% (13)
Livingood, Blake - Livingood Daily Your 21-Day Guide To Experience Real Health
260 pages
Cheat Code To The Universe
94% (79)
Cheat Code To The Universe
34 pages
Facial Gains Guide (001 081)
91% (45)
Facial Gains Guide (001 081)
81 pages
Curse of Strahd
95% (467)
Curse of Strahd
258 pages
The Psychiatric Interview - Daniel Carlat
91% (34)
The Psychiatric Interview - Daniel Carlat
473 pages
The Borax Conspiracy
91% (57)
The Borax Conspiracy
14 pages
The Secret Language of Attraction
86% (108)
The Secret Language of Attraction
278 pages
How To Develop and Write A Grant Proposal
83% (542)
How To Develop and Write A Grant Proposal
17 pages
Penis Enlargement Secret
60% (124)
Penis Enlargement Secret
12 pages
Workbook For The Body Keeps The Score
89% (53)
Workbook For The Body Keeps The Score
111 pages
Donald Trump & Jeffrey Epstein Rape Lawsuit and Affidavits
83% (1016)
Donald Trump & Jeffrey Epstein Rape Lawsuit and Affidavits
13 pages
KamaSutra Positions
78% (69)
KamaSutra Positions
55 pages
7 Hermetic Principles
93% (30)
7 Hermetic Principles
3 pages
27 Feedback Mechanisms Pogil Key
77% (13)
27 Feedback Mechanisms Pogil Key
6 pages
Frank Hammond - List of Demons
92% (92)
Frank Hammond - List of Demons
3 pages
Phone Codes
79% (28)
Phone Codes
5 pages
36 Questions That Lead To Love
91% (35)
36 Questions That Lead To Love
3 pages
How 2 Setup Trust
97% (307)
How 2 Setup Trust
3 pages
100 Questions To Ask Your Partner
78% (36)
100 Questions To Ask Your Partner
2 pages
The 36 Questions That Lead To Love - The New York Times
91% (35)
The 36 Questions That Lead To Love - The New York Times
3 pages
Satanic Calendar
25% (56)
Satanic Calendar
4 pages
The 36 Questions That Lead To Love - The New York Times
95% (21)
The 36 Questions That Lead To Love - The New York Times
3 pages
14 Easiest & Hardest Muscles To Build (Ranked With Solutions)
100% (8)
14 Easiest & Hardest Muscles To Build (Ranked With Solutions)
27 pages
Jeffrey Epstein39s Little Black Book Unredacted PDF
75% (12)
Jeffrey Epstein39s Little Black Book Unredacted PDF
95 pages
C700 PerformanceAssessment
100% (1)
C700 PerformanceAssessment
18 pages
1001 Songs
70% (73)
1001 Songs
1,798 pages
The 4 Hour Workweek, Expanded and Updated by Timothy Ferriss - Excerpt
23% (954)
The 4 Hour Workweek, Expanded and Updated by Timothy Ferriss - Excerpt
38 pages
Zodiac Sign & Their Most Common Addictions
63% (30)
Zodiac Sign & Their Most Common Addictions
9 pages
Ethical Hacking Associate (EHA)
No ratings yet
Ethical Hacking Associate (EHA)
1 page
Availo Integration Document
No ratings yet
Availo Integration Document
12 pages
Issaf0 2 1
No ratings yet
Issaf0 2 1
1,264 pages
CSCU Course
No ratings yet
CSCU Course
12 pages
Penetration Testing: Concepts, Attack Methods, and Defense Strategies
No ratings yet
Penetration Testing: Concepts, Attack Methods, and Defense Strategies
6 pages
Developing A Database Security Plan
100% (1)
Developing A Database Security Plan
13 pages
Ey How Do You Protect Robots From Cyber Attack
No ratings yet
Ey How Do You Protect Robots From Cyber Attack
17 pages
Wipro CRS Threat Advisory - WannaCry Ransomware 1.1
No ratings yet
Wipro CRS Threat Advisory - WannaCry Ransomware 1.1
12 pages
Windows Advanced Audit Policy Map To Event IDs - AuditPolicy
No ratings yet
Windows Advanced Audit Policy Map To Event IDs - AuditPolicy
5 pages
Blank ISO 27001 CLAUSE&SOA
No ratings yet
Blank ISO 27001 CLAUSE&SOA
70 pages
RSA Archer Policy Management: Build Your Governance, Risk and Compliance Program On A Firm Foundation
No ratings yet
RSA Archer Policy Management: Build Your Governance, Risk and Compliance Program On A Firm Foundation
2 pages
Dvwa Report
No ratings yet
Dvwa Report
10 pages
NERC LSE Standards Applicability Matrix Posted 02 10 2009
No ratings yet
NERC LSE Standards Applicability Matrix Posted 02 10 2009
15 pages
Com Dcom
No ratings yet
Com Dcom
62 pages
Practical Industrial Data Communications Best Practice Techniques
No ratings yet
Practical Industrial Data Communications Best Practice Techniques
428 pages
2282a 00
No ratings yet
2282a 00
16 pages
Events Codes For Fun & Profit
No ratings yet
Events Codes For Fun & Profit
19 pages
USER ACCESS MANAGEMENT
No ratings yet
USER ACCESS MANAGEMENT
4 pages
Pen Testing
No ratings yet
Pen Testing
27 pages
Lab Security Policy Cyber Security Policy
No ratings yet
Lab Security Policy Cyber Security Policy
4 pages
AnsibleAutomates AnsibleForSecurityAutomation
No ratings yet
AnsibleAutomates AnsibleForSecurityAutomation
38 pages
SE571 Air Craft Solutions - Phase 1
No ratings yet
SE571 Air Craft Solutions - Phase 1
7 pages
Cyber Security Reference Guide
No ratings yet
Cyber Security Reference Guide
14 pages
CIS Controls v8 Mapping To SOC2 1 2024
No ratings yet
CIS Controls v8 Mapping To SOC2 1 2024
144 pages
SecPoint Vulnerability Scanning Profiles
100% (1)
SecPoint Vulnerability Scanning Profiles
15 pages
Vmware Vsphere Version Comparison: Across Versions
No ratings yet
Vmware Vsphere Version Comparison: Across Versions
7 pages
Database Security Management
No ratings yet
Database Security Management
3 pages
Web Application Development Dos and Donts
No ratings yet
Web Application Development Dos and Donts
18 pages
CIS Fortigate 7.0.x Benchmark v1.3.0
No ratings yet
CIS Fortigate 7.0.x Benchmark v1.3.0
180 pages
Download Complete SAP Security Configuration and Deployment The IT Administrator s Guide to Best Practices 1st Edition Joey Hirao PDF for All Chapters
100% (3)
Download Complete SAP Security Configuration and Deployment The IT Administrator s Guide to Best Practices 1st Edition Joey Hirao PDF for All Chapters
51 pages
Linux Security & Auditing: K. K. Mookhey Founder-CTO Network Intelligence India Pvt. LTD
No ratings yet
Linux Security & Auditing: K. K. Mookhey Founder-CTO Network Intelligence India Pvt. LTD
43 pages
Windows Security Settings Working Aide
100% (5)
Windows Security Settings Working Aide
81 pages
Guidelines On Firewalls and Firewall Policy
No ratings yet
Guidelines On Firewalls and Firewall Policy
81 pages
Pentestreport Romio
No ratings yet
Pentestreport Romio
72 pages
Making The Best of Application Security Solutions: Amit Ashbel Product Evangelist
No ratings yet
Making The Best of Application Security Solutions: Amit Ashbel Product Evangelist
47 pages
Network Defense 14g
No ratings yet
Network Defense 14g
36 pages
Metasploitable 2 R2 t6003q
No ratings yet
Metasploitable 2 R2 t6003q
7 pages
28.9 RHEL-7-Security - Guide-en-US PDF
No ratings yet
28.9 RHEL-7-Security - Guide-en-US PDF
266 pages
Information Security BDCR Plan DRAFT Nov 2019
No ratings yet
Information Security BDCR Plan DRAFT Nov 2019
11 pages
Cyber Security Analyst Interview Questions and Answers
No ratings yet
Cyber Security Analyst Interview Questions and Answers
11 pages
Cloudflare Solution Brief - Zero Trust For SaaS Apps
No ratings yet
Cloudflare Solution Brief - Zero Trust For SaaS Apps
5 pages
Web Application Security
No ratings yet
Web Application Security
12 pages
Cloud Controls Matrix (CCM) R1.2: Architectural Relevance Corp Gov Relevance
0% (1)
Cloud Controls Matrix (CCM) R1.2: Architectural Relevance Corp Gov Relevance
13 pages
Isaca Code of Professional Ethics Is Auditing Standards Is Auditing Guidelines Tools and Techniques
No ratings yet
Isaca Code of Professional Ethics Is Auditing Standards Is Auditing Guidelines Tools and Techniques
20 pages
ALS Security+ Lab01
No ratings yet
ALS Security+ Lab01
10 pages
Assessment Frameworks Methodologies
No ratings yet
Assessment Frameworks Methodologies
31 pages
CCT Battle Card
No ratings yet
CCT Battle Card
2 pages
Windows 10 Security Brochure
No ratings yet
Windows 10 Security Brochure
2 pages
The Top 10 Security Weakness (Vulnerabilities) in Web Applications (OWASP Top 10)
100% (1)
The Top 10 Security Weakness (Vulnerabilities) in Web Applications (OWASP Top 10)
33 pages
SAP Security Configuration and Deployment The IT Administrator s Guide to Best Practices 1st Edition Joey Hirao download pdf
100% (3)
SAP Security Configuration and Deployment The IT Administrator s Guide to Best Practices 1st Edition Joey Hirao download pdf
61 pages
Learning iOS Penetration Testing Sample Chapter PDF
100% (1)
Learning iOS Penetration Testing Sample Chapter PDF
30 pages
Incident Response Plan Basics - 508c
100% (1)
Incident Response Plan Basics - 508c
2 pages
Automation of Penetration Testing
No ratings yet
Automation of Penetration Testing
131 pages
Owasp Top 10-2017 (En)
No ratings yet
Owasp Top 10-2017 (En)
25 pages
Nist SP 800-53 Rev. 4
No ratings yet
Nist SP 800-53 Rev. 4
1 page
09 Pentesting Routers Braa Nmap Nse
No ratings yet
09 Pentesting Routers Braa Nmap Nse
12 pages
2022 FRSecure CISSP Mentor Program - 2022 - Class Eleven
No ratings yet
2022 FRSecure CISSP Mentor Program - 2022 - Class Eleven
216 pages
Endpoint Security Solution Guide
No ratings yet
Endpoint Security Solution Guide
21 pages
GIAC Certified Perimeter Protection Analyst Complete Self-Assessment Guide
From Everand
GIAC Certified Perimeter Protection Analyst Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
GIAC Certified Unix Security Administrator Standard Requirements
From Everand
GIAC Certified Unix Security Administrator Standard Requirements
Gerardus Blokdyk
1/5 (1)
Events of 2010 summarized
0% (1)
Events of 2010 summarized
34 pages
Com Flor 80 Brochure
No ratings yet
Com Flor 80 Brochure
24 pages
Resolvendo Questão de Licença Do Dataprotector Hpux
No ratings yet
Resolvendo Questão de Licença Do Dataprotector Hpux
3 pages
Project Report School Management System
69% (13)
Project Report School Management System
94 pages
Voucher-OAMY WIFI ZONE - 3-HEURES-up-934-10.19.24
No ratings yet
Voucher-OAMY WIFI ZONE - 3-HEURES-up-934-10.19.24
3 pages
Esolution Letter
No ratings yet
Esolution Letter
3 pages
Curio 742 User Manual
No ratings yet
Curio 742 User Manual
136 pages
Netflix Letter - Undertakings
No ratings yet
Netflix Letter - Undertakings
15 pages
NCVT Misvijay All
No ratings yet
NCVT Misvijay All
1 page
Pay Direct
No ratings yet
Pay Direct
27 pages
Part: 3 Student Portal: Exam Form E-Payment (Student)
No ratings yet
Part: 3 Student Portal: Exam Form E-Payment (Student)
8 pages
Security Models
No ratings yet
Security Models
51 pages
Case Tools Lab-Manual PDF
No ratings yet
Case Tools Lab-Manual PDF
113 pages
A Review On - Data Hiding Using Cryptography and Steganography
No ratings yet
A Review On - Data Hiding Using Cryptography and Steganography
6 pages
Feistal Cipher Structure
No ratings yet
Feistal Cipher Structure
15 pages
Own Cloud Admin Manual
No ratings yet
Own Cloud Admin Manual
170 pages
CV
No ratings yet
CV
8 pages
Oracle Data Encryption
No ratings yet
Oracle Data Encryption
40 pages
CNS R20 Unit 4
No ratings yet
CNS R20 Unit 4
36 pages
Balangir Belpada Dhumabhata: Npci Failed Report
No ratings yet
Balangir Belpada Dhumabhata: Npci Failed Report
2 pages
Center - EZVIZ Support
No ratings yet
Center - EZVIZ Support
1 page
0613CT0001 PDF
No ratings yet
0613CT0001 PDF
180 pages
Modeling and Detection of Camouflaging Worm
No ratings yet
Modeling and Detection of Camouflaging Worm
3 pages
Flex Card
No ratings yet
Flex Card
2 pages
Detailed Case Note Example
No ratings yet
Detailed Case Note Example
5 pages
New Fratricide
No ratings yet
New Fratricide
49 pages
Cybersecurity Safeguarding The Digital Frontier
No ratings yet
Cybersecurity Safeguarding The Digital Frontier
5 pages
Best Practice Guide - Automating Appliance Configuration and Alert Backup
No ratings yet
Best Practice Guide - Automating Appliance Configuration and Alert Backup
8 pages
HK GRCC Platinum - Transfer-In App Form
No ratings yet
HK GRCC Platinum - Transfer-In App Form
1 page