Scan DVWA Application for Vulnerabilities

DVWA is an intentionally vulnerable web application that you can install on your server to test vulnerability scanners or to practice penetration testing. You may want to use DVWA to test the capabilities of the Acunetix vulnerability scanner and compare it to similar tools. This article explains how to set up Acunetix to scan the DVWA application.

Note: DVWA was built for educational purposes and does not accurately represent real-world applications and typical vulnerabilities, and therefore should be used only as part of the assessment of any automated tool.

Download and Install DVWA

Download DVWA from https://github.com/digininja/DVWA
Install DVWA on your test server according to the instructions in the DVWA GitHub repository. Ensure that the server is not accessible from the Internet.
Test if the DVWA application works correctly by going to the URL and logging in using the username admin and the password password.
We have to change the security level before the scan. To do that, navigate to “DVWA Security”, then select “Low” as a security level and submit it.

Configure Acunetix to Scan DVWA

To add DVWA as a target in Acunetix, select Targets from the left-side menu, then click Add Target.
Enter your DVWA URL in the Address field and click Save.
After clicking save, you are taken to the Target settings page. Amend any necessary information.
Set the scan speed from Fast to Moderate.
Enable the Site login toggle and create a new LSR.
Save it after entering the username and password.
You can add URLs to Record Restrictions to restrict the scanner from visiting these URLs. Exclusions in the LSR are used to specify what should not be scanned.
Add them to there.
- /logout.php
- /security.php
- captcha
- csrf

To improve the scan quality, we need to add the following paths to the Excluded Paths section. Please make sure to include the paths listed below.

/phpinfo.php
/setup.php
/instructions.php
^\/vulnerabilities/csrf/.*$
^\/vulnerabilities/captcha/.*$
view_source\.php
view_help\.php
about*.php
brute
weak_id
view_source_all\.php

Click “Scan” at the top right. A pop-up dialog will appear. Leave all the settings as default and click “Create Scan”.
Wait for the scan to start successfully and complete.

Get the latest content on web security
in your inbox each week.

THE AUTHOR

Bernhard Abele
Technical Support Engineer Acunetix.

Bernhard Abele is an Operations Engineer working for Acunetix. He's a Bachelor of Science (Hons.) in Computer Systems and Networking and has a technical background with over 3 years of technical support experience.