The DVWA - Manual SQL Injection and Password Cracking module provides you with the instructions and devices to develop your hands-on skills in the following topics:

  • DVWA Usage
  • Performing an SQL Injection Attack
  • Password Cracking with John

Lab time: It will take approximately 1 hour to complete this lab.

Exam Objectives

The following exam objectives are covered in this lab:

  • Assess the effectiveness of software security
  • Assess security impact of acquired software

Exercise 1 - DVWA Usage

Damn Vulnerable Web App works using PHP/MySQL web applications that have been engineered to be deliberately vulnerable to a great variety of attack vectors for the purpose of allowing security professionals to test their skills and tools in a legal environment. It’s a very useful tool when learning and applying the techniques to security testing applications when using an SDLC.

In this exercise we will:

  • Activate DVWA
  • Connect to DVWA

Exercise 2 - Performing an SQL Injection Attack

SQL injections are used to inject code into applications which then pull out data which typically shouldn’t be displayed. For example, the technic can be used to find personal information of people which might be hidden from normal view presenting details like username and passwords.

In this exercise, we will cover:

  • DVWA SQL Injection

Exercise 3 - Password Cracking with John

John the Ripper detects password hashes and then cracks the type of hash through either bruteforce or by allocating John a password hash list for its use. It is used against DES, MD5, Blowfish, Kerberos AFS and Windows LM hash. It will perform dictionary attacks by hashing the wordlist and comparing the results against the password hash list.

In this exercise, you will perform the following tasks:

  • Making the Password Hash File
  • Using a Wordlist
  • Password Cracking and Validation

Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.