DVWA is an intentionally vulnerable web application that you can install on your server to test vulnerability scanners or to practice penetration testing. You may want to use DVWA to test the capabilities of the Acunetix vulnerability scanner and compare it to similar tools. This article explains how to set up Acunetix to scan the DVWA application.

Download and Install DVWA

  1. Download DVWA from http://www.dvwa.co.uk/
  2. Install DVWA on your test server according to the instructions in the DVWA GitHub repository. Ensure that the server is not accessible from the Internet.
  3. Test if the DVWA application works correctly by going to the URL and logging in using the username admin and the password password.
    DVWA login screen

DVWA welcome screen

Configure Acunetix to Scan DVWA

  1. Add DVWA as a target in Acunetix. Click on the Targets menu on the left and then click on the Add Target option in the Targets menu. Enter your DVWA URL in the Address field.Add DVWA as a target
  2. Click on the Targets menu on the left and click on the http://acunetix.dvwa.com target.
  3. Set the Business Criticality to Low to signify that scanning this application will not have any effect on the performance of your organization.
  4. Click on the Site Login option to open the Site Login section.
  5. Click on the Use pre-recorded login sequence option.
  6. Click on the New link below the Login Sequence field to open the Login Sequence Recorder (LSR). The DVWA login screen will be displayed.
  7. Enter the DVWA credentials in the LSR (admin/password).DVWA in LSR
  8. Click on the Next button to proceed to configure restrictions.
  9. Click on the LSR exclamation mark icon icon above the right panel.
  10. Enter the following in the Restriction field below:
    GET http://acunetix.dvwa.com/logout.php HTTP/1.1
  11. Repeat steps 8 and 9 for the following four values:
    GET http://acunetix.dvwa.com/security.php HTTP/1.1
    GET http://acunetix.dvwa.com/phpinfo.php HTTP/1.1
    GET http://acunetix.dvwa.com/setup.php HTTP/1.1
    GET http://acunetix.dvwa.com/instructions.php HTTP/1.1

    DVWA LSR settings

  12. Click on the Next button to have LSR identify the session and click on the Finish button when identification is complete.
  13. Scroll down to the Crawling section of the target configuration page.
  14. In the Excluded Paths field, enter the following regular expression:

    And click on the + button to add it.

  15. Repeat the previous step and add the following regular expression:

    DVWA excluded paths

Scan the Target

Once the configuration is complete, you can scan the target. To identify all vulnerabilities, use the Full Scan type. We also recommend running this scan using Moderate scan speed to ensure that no requests are lost due to the target being flooded.

  1. Click on the Targets menu on the left and click on the http://acunetix.dvwa.com target.
  2. Set the Scan Speed to Moderate.Starting the DVWA scan
  3. Click on the Save button in the top-right corner and then the Scan button to open the Choose Scanning Options box.
  4. Make sure that Full Scan is selected in the Scan Type field and then click on the Create Scan button.DVWA full scan

Based on independent reports from other vulnerability scanners, the DVWA application has various vulnerabilities including brute force login, command execution, CSRF, file inclusion, SQL Injection, upload vulnerability, and XSS. Our scans using Acunetix identified 75 vulnerabilities: 16 critical, 37 medium, 22 low, and 6 informational. You can use these results as a benchmark to confirm that your DVWA scan ran successfully.

Scan results for DVWA

Bernhard Abele
Technical Support Engineer Acunetix.
Bernhard Abele is an Operations Engineer working for Acunetix. He's a Bachelor of Science (Hons.) in Computer Systems and Networking and has a technical background with over 3 years of technical support experience.