DVWA - Manual SQL Injection and Password Cracking

Practice Labs Module
1 hour 2 minutes

The "DVWA - Manual SQL Injection and Password Cracking" module provides you with the instructions and devices to develop your hands-on skills in the following topics: DVWA Usage, Performing an SQL Injection Attack, Password Cracking with John.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »



The DVWA - Manual SQL Injection and Password Cracking module provides you with the instructions and devices to develop your hands-on skills in the following topics:

  • DVWA Usage
  • Performing an SQL Injection Attack
  • Password Cracking with John

Lab time: It will take approximately 1 hour to complete this lab.

Exam Objectives

The following exam objectives are covered in this lab:

  • CS0-001 3.4 Given a scenario, analyze common symptoms to select the best course of action to support incident response
  • CS0-001 4.2 Given a scenario, use data to recommend remediation of security issues related to identity and access management
  • CS0-001 4.3 Given a scenario, review security architecture and make recommendations to implement compensating controls
  • CS0-001 4.4 Given a scenario, use application security best practices while participating in the Software Development Life Cycle (SDLC)

Exercise 1 - DVWA Usage

Damn Vulnerable Web App works using PHP/MySQL web applications that have been engineered to be deliberately vulnerable to a great variety of attack vectors for the purpose of allowing security professionals to test their skills and tools in a legal environment. It’s a very useful tool when learning and applying the techniques to security testing applications when using an SDLC.

In this exercise we will:

  • Activate DVWA
  • Connect to DVWA

Exercise 2 - Performing an SQL Injection Attack

SQL injections are used to inject code into applications which then pull out data which typically shouldn’t be displayed. For example, the technic can be used to find personal information of people which might be hidden from normal view presenting details like username and passwords.

In this exercise, we will cover:

  • DVWA SQL Injection

Exercise 3 - Password Cracking with John

John the Ripper detects password hashes and then cracks the type of hash through either bruteforce or by allocating John a password hash list for its use. It is used against DES, MD5, Blowfish, Kerberos AFS and Windows LM hash. It will perform dictionary attacks by hashing the wordlist and comparing the results against the password hash list.

In this exercise, you will perform the following tasks:

  • Making the Password Hash File
  • Using a Wordlist
  • Password Cracking and Validation
Learning Partner
Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.