System Weakness

System Weakness is a publication that specialises in publishing upcoming writers in cybersecurity…

Follow publication

Deploy vulnerable web applications for Application Security (AppSec) training in under 25 minutes

After successfully installing Kali Linux, use this article as reference to get started with Web Application Security Testing for free. The applications used in this article are open-sourced and great for configuring a lab environment on your local machine.

Installing DVWA and Juice Shop

Here is a one-liner used to update Kali and start installation for DVWA & Juice Shop:

Feel free to copy directly from here as well:

sudo apt update && sudo apt full-upgrade -y && sudo apt install kali-linux-labs -y

(Enter sudo credentials for successful execution of commands used in this article)

Installs will complete ~20 minutes, depending on speeds.

Yes, the vulnerable metapackages for testing are fully installed, that’s it!

Let’s start our vulnerable applications now.

AppSec testing with DVWA

Step 1. Start DVWA with the command “dvwa-start

(Remember: Enter sudo credentials for successful execution)

Default credentials for new DVWA instance are:

  • Default username = admin
  • Default password = password

The setup page will load immediately after login. Otherwise, the local application should still allow you to visit localhost:dvwaport/setup.php.

Step 2. Scroll down and click Create/Reset Database

Clicking Create/Reset Database should display something similar to the response below

After seeing, “Setup Successful!”, ensure to configure the security level for this instance.

Step 3. Click the DVWA Security tab to view the level of security for the instance.

DVWA Security Options:

  • Low Level: Allows you to easily exploit all known vulnerabilities present
  • Medium Level: Requires fundamental skills in bypassing application defenses/filtration
  • High Level: Requires a thorough, practical understanding of defense evasion techniques
  • Impossible Level: Requires an advanced skill level to successfully perform attacks against the hardest instance of DVWA

Note: Use of the file inclusion labs will require additional configuration within the DVWA php.ini file (/setup.php briefly describes how to achieve this)

Step 4. Configure your application proxy tool to listen to the configured localhost:dvwa for all testing.

Step 5. When done with testing, stop DVWA by running “dvwa-stop

AppSec testing with OWASP Juice Shop

Once Kali Linux has installed the Juice Shop metapackage, start testing the Juice Shop Application using the instructions below:

Step 1. The application can be started by running juice-shop

The browser should automatically open to the Juice Shop Home page. Otherwise visit http://localhost:jsport. The CLI will indicate which port has the Juice Shop Web UI.

Step 2. You can create a testing account visiting http://127.0.0.1:jsport/register or by clicking “Not yet a customer?” on the login page.

Step 3. Configure your application proxy tool to listen to the configured localhost:jsport for all testing.

Step 4. When done with testing, stop Juice Shop by running juice-shop-stop

References

Kali Linux

https://www.kali.org/get-kali/
https://www.kali.org/tools/dvwa/
https://www.kali.org/tools/juice-shop/
https://www.kali.org/blog/kali-linux-2022-3-release/

OWASP Resources

https://owasp.org/www-project-vulnerable-web-applications-directory/
https://owasp.org/www-project-juice-shop/

GitHub Repositories

https://github.com/juice-shop
https://github.com/digininja/DVWA
https://github.com/Martian1337/CyberSpace

Published in System Weakness

System Weakness is a publication that specialises in publishing upcoming writers in cybersecurity and ethical hacking space. Our security experts write to make the cyber universe more secure, one vulnerability at a time.

Written by Martian

Application Security Engineer, Pentester. Follow me and join my Discord community @ https://links.martiandefense.llc

No responses yet

Write a response