Vulnerability Assessment of a Web Application

A Practical Scan of DVWA using OWASP ZAP

1. Project Overview & Methodology

Objective

This project documents a vulnerability assessment performed on the Damn Vulnerable Web Application (DVWA). The goal was to use a combination of automated scanning with OWASP ZAP and manual testing techniques to identify, validate, and recommend remediation for common web application vulnerabilities.

Environment & Tools

  • Target: Damn Vulnerable Web Application (DVWA)
  • Platform: TryHackMe Online Instance
  • Scanning Tool: OWASP ZAP (Zed Attack Proxy)
  • DVWA Security Level: Low

2. Vulnerability Summary

Vulnerability Severity Description Affected Component
SQL Injection High User input is directly used in SQL queries without sanitization, allowing full database access. SQL Injection module, Login fields
Reflected XSS High User input is reflected unsanitized in HTTP responses, enabling script execution in the user's browser. XSS (Reflected) module
Command Injection High Input is passed to OS commands without validation, allowing arbitrary command execution on the server. Command Injection module
Security Misconfiguration Medium The application uses default credentials and HTTP headers expose server/software versions. Login interface, Web server headers

3. Manual Testing & Proof of Concept

SQL Injection Test

Payload: 1' OR '1'='1'#

ID: 1' OR '1'='1'#  First name: admin  Surname: admin
ID: 1' OR '1'='1'#  First name: Gordon  Surname: Brown
ID: 1' OR '1'='1'#  First name: Hack  Surname: Me
... (and so on)

Observation: The application returned all user records from the database, confirming a successful SQL injection.

Cross-Site Scripting (XSS) Test

Payload: <script>alert('XSS')</script>

Observation: A JavaScript alert box with the text 'XSS' appeared in the browser, confirming a successful reflected XSS vulnerability.

Command Injection Test

Payload: 127.0.0.1; ls

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
... (ping output) ...

help
index.php
source

Observation: In addition to the ping output, the results of the `ls` command were displayed, confirming successful command injection.

4. Remediation Strategies

SQL Injection

Use parameterized queries (prepared statements), implement server-side input validation, and disable detailed SQL error messages in production environments.

Cross-Site Scripting (XSS)

Sanitize and encode all user-supplied input before it is rendered in the browser. Implement a strong Content Security Policy (CSP) to restrict script execution.

Command Injection

Avoid direct execution of user input in system commands. Use input whitelisting to allow only known-good values and apply sandboxing or OS-level restrictions where possible.

Security Misconfiguration

Immediately change or remove all default credentials. Configure the web server to hide sensitive version headers. Regularly audit and harden server configurations.