For this guide we will be working with docker. Docker is a system that allows you to easily spin up a container from a configuration file. This eliminates the need to install all of the dependencies that are needed on our own system just to run something simple like the DVWA. We simply have to install docker on our host system. To do this on windows or OSX simple download the docker desktop client from their homepage.
For linux, either install it using yum or apt:
sudo apt-get install docker.io
sudo yum install docker.io
Installing our test application
We will be using DVWA as our test application to demonstrate these vulnerability types so that you can get an easy overview of the basics and can follow along. We firstly need to install DVWA though by pulling the docker container.
docker pull vulnerables/web-dvwa
This will take a while so sit back and grab a coffee.
Now that we have the container pulled, all we need to do is start it.
docker run --rm -it -p 80:80 vulnerables/web-dvwa
Running the above code will start docker on port 80 using the web-dvwa container. We can then surf to http://127.0.0.1 using any web browser. This will start up our docker container with the username and password “test”. After logging in you will notice the DVWA script detecting a fresh installation and asking to create/reset the database. Simply click the button and let DVWA do all the work for you.
This will send you back to the login page where you can no longer use the test/test username and password combination. You will now need to log in using the following data:
- Username: admin
- Password: password
Congratulations, you are now ready to start testing!
Docker containers are non persistant, meaning they will reset every time you start them up and you will have to log in with the username and password combination of test/test and create the database again.There are ways to get around this for now, we will simply use this basic method as we don’t need a more advanced one.