ethicalhack3r

DVWA v1.0.5 will be released in the near future sporting many changes including more vulnerabilities and features.

Since version 1.0.4 we have a bigger open source community which have pushed DVWA to a whole new level, with out them the project couldn’t be what it is today.

DVWA v1.0.5 change log:

Complete re-code.

Complete re-design.

CSRF vulnerability.

Stored XSS vulnerability.

Full Path Disclosure vulnerability.

Login page.

Sessions.

Many bug fixes.

PHPIDS implementation.

+ much more

We are looking for sponsors for version 1.0.5 and future versions. If you would like to reach thousands of security professionals and students DVWA is for you. If you would like to sponsor our great project please email sales[A]ethicalhack3r.co.uk.

Alternatively if you have found DVWA useful you can donate funds to the project here or contribute and become a member of the project here.

You can download and give DVWA v1.0.5 a try before its release by downloading the development version of DVWA from sourceforge.

DVWA v1.0.5 screenshots:

Id like to thank the DVWA team for their contributions to the project, jamesr, Tedi and Craig Bryson to name a few. I would also like to thank every one who has blogged, tweeted, given feedback, made videos and podcast-ed DVWA.

Here is one of the vulnerabilities which I found during my research for Bonsai Security a few weeks ago. The research consisted of vulnerability assessing commercial and open source ecommerce web applications over a 2 week period.

During the time of my research I learnt a great deal from Andres Riancho (w3af/bonsai-sec owner) and from the vulnerability assessments them selves. So what did I learn? I learnt that patience is definitely a virtue, javascript is a pain in the ass, ecommerce web application developers need to invest more time on security and a lot more as regards to perfecting my assessment techniques.

Here is the vulnerability report:

http://www.bonsai-sec.com/research/vulnerabilities/cs-cart_SQL-injection-0100.txt

Here is a great post by Andres on the difficulty on the actual exploitation:

http://www.bonsai-sec.com/blog/index.php/not-the-average-sql-injection/

A massive thanks to Andres for giving me the opportunity to work for him. I learnt more in the (just over) two week period working for him than I could have learnt in a whole 12 months.