-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 96ca42c
Showing
552 changed files
with
72,411 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Only set these if PHP 5 is loaded as an apache module | ||
| <IfModule mod_php5.c> | ||
| php_flag magic_quotes_gpc Off | ||
| #php_flag allow_url_fopen on | ||
| #php_flag allow_url_include on | ||
| </IfModule> | ||
|
|
||
| # Only set these if PHP 4 is loaded as an apache module | ||
| <IfModule mod_php4.c> | ||
| php_flag magic_quotes_gpc Off | ||
| #php_flag allow_url_fopen on | ||
| #php_flag allow_url_include on | ||
| </IfModule> | ||
|
|
||
| # Limit access to localhost | ||
| #<Limit GET POST PUT> | ||
| # order deny,allow | ||
| # deny from all | ||
| # allow from 127.0.0.1 | ||
| #</Limit> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,157 @@ | ||
| DAMN VULNERABLE WEB APPLICATION | ||
| ======================= | ||
|
|
||
| v1.9 (2015-10-05) | ||
| ====== | ||
|
|
||
| + Added a dedicated objective (or "flag") for file include. (@g0tmi1k) | ||
| + Added a warning to any module that requires a certain configuration. (@g0tmi1k) | ||
| + Added comments to all source code that would be visible via DVWA modules. (@g0tmi1k) | ||
| + Added CSRF token to pre-auth forms (login/setup/security pages). (@g0tmi1k + @Shinkurt) | ||
| + Added HttpOnly cookie flag on impossible levels. (@g0tmi1k) | ||
| + Added more detail to the documentation. (@g0tmi1k) | ||
| + Added PDO to all impossible levels requiring MySQL. (@g0tmi1k) | ||
| + Added PHPIDS options into the config file. (@g0tmi1k) | ||
| + Added system check to setup. (@g0tmi1k) | ||
| + Added various information to all help pages for every module. (@g0tmi1k) | ||
| + Changed brute force medium to be harder due to sleep. (@g0tmi1k) | ||
| + Changed file include landing page + added 3x example pages. (@g0tmi1k) | ||
| + Changed file include medium to be harder due to more filters. (@g0tmi1k) | ||
| + Changed HTTP REFERER check for medium level CSRF. (@g0tmi1k) | ||
| + Changed input box for medium level with SQLi + SQLi Blind. (@g0tmi1k) | ||
| + Changed SQLi + SQLi Blind to be $_POST rather than $_GET. (@g0tmi1k) | ||
| + Changed SQLi Blind to be a real example of the vulnerability. (@g0tmi1k) | ||
| + Fixed brute force and file upload impossible levels, as they were vulnerable. (@g0tmi1k + @Shinkurt) | ||
| + Fixed bug with file fnclude page not loading. (@g0tmi1k) | ||
| + Fixed CAPTCHA bug to read URL parameters on impossible. (@g0tmi1k) | ||
| + Fixed CAPTCHA bug where the form wouldn't be visible. (@g0tmi1k) | ||
| + Fixed CAPTCHA bug where the URL parameters were not being used for low + medium. (@g0tmi1k) | ||
| + Fixed CSRF medium level bug when not on localhost. (@g0tmi1k) | ||
| + Fixed setup bug with custom URL path. (@g0tmi1k) | ||
| + Removed PostgreSQL DB support. (@g0tmi1k) | ||
| + Renamed 'Command Execution' to 'Command Injection'. (@g0tmi1k) | ||
| + Renamed 'high' level to 'impossible' and created new vectors for 'high'. (@g0tmi1k) | ||
| + Updated README and documentation. (@g0tmi1k) | ||
| + Various code cleanups in the core PHP files+CSS. (@g0tmi1k) | ||
| + Various setup improvements (e.g. redirection + limited menu links). (@g0tmi1k) | ||
|
|
||
| v1.8 (2013-05-01) | ||
| ====== | ||
|
|
||
| + Versioning change: Version numbers now follow Major.Minor (e.g. v1.8) removing the middle digit. | ||
| + Moved default security level setting to the config file. | ||
| + Fixed a bug which prevented setup when a database name other than 'dvwa' was used. | ||
| + Added a logic challenge involving an insecure CAPTCHA (requires external internet access) | ||
|
|
||
| v1.0.7 (2010-09-08) | ||
| ====== | ||
|
|
||
| + Re-designed the login page + made some other slight cosmetic changes. 06/06/2010 (@ethicalhack3r) | ||
| + Started PostgreSQL implementation. 15/03/2010 (@ethicalhack3r) | ||
| + A few small cosmetic changes. 15/03/2010 (@ethicalhack3r) | ||
| + Improved the help information and look. 15/03/2010 (@ethicalhack3r) | ||
| + Fixed a few bugs thanks to @Digininja. 15/03/2010 (@ethicalhack3r) | ||
| + Show logged in username. 05/02/2010 (Jason Jones) | ||
| + Added new info on RandomStorm. 04/02/2010 (@ethicalhack3r) | ||
| + Added 'SQL Injection (Blind)'. 04/02/2010 (@ethicalhack3r) | ||
| + Added official documentation. 21/11/2009 (@ethicalhack3r) | ||
| + Implemented view all source functionality. 16/10/2009 (tmacuk, craig, @ethicalhack3r) | ||
|
|
||
| v1.0.6 (2009-10-05) | ||
| ====== | ||
|
|
||
| + Fixed a bug where the logo would not show on first time use. 03/09/2009 (@ethicalhack3r) | ||
| + Removed 'current password' input box for low+med CSRF security. 03/09/2009 (@ethicalhack3r) | ||
| + Added an article which was written for OWASP Turkey. 03/10/2009 (@ethicalhack3r) | ||
| + Added more toubleshooting information. 02/10/2009 (@ethicalhack3r) | ||
| + Stored XSS high now sanitises output. 02/10/2009 (@ethicalhack3r) | ||
| + Fixed a 'bug' in XSS stored low which made it not vulnerable. 02/10/2009 (@ethicalhack3r) | ||
| + Rewritten command execution high to use a whitelist. 30/09/09 (@ethicalhack3r) | ||
| + Fixed a command execution vulnerability in exec high. 17/09/09 (@ethicalhack3r) | ||
| + Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (@ethicalhack3r) | ||
| + Added the upload directory to the upload help. 17/09/09 (@ethicalhack3r) | ||
|
|
||
| v1.0.5 (2009-09-03) | ||
| ====== | ||
|
|
||
| + Made IE friendly as much as possible. 30/08/2009 (@ethicalhack3r) | ||
| + Removed the acunetix scan report. 30/08/2009 (@ethicalhack3r) | ||
| + Added 'Clear Log' button to PHPIDS parser. 27/08/2009 (@ethicalhack3r) | ||
| + Implemented PHPIDS log parser. 27/08/2009 (@ethicalhack3r) | ||
| + Implemented Stored XSS vulnerability. 27/08/2009 (@ethicalhack3r) | ||
| + Added htaccess rule for localhost access only. 22/08/2009 (@ethicalhack3r) | ||
| + Added CSRF. 01/08/2009 (@ethicalhack3r) | ||
| + Implemented sessions/login. 01/08/2009 (@ethicalhack3r) | ||
| + Complete recode. (jamesr) | ||
| + Complete redesign. (jamesr) | ||
| + Delimited 'dvwa' in session- minimising the risk of clash with other projects running on localhost. 01/08/2009 (jamesr) | ||
| + Integrated PHPIDS v0.6. 01/08/2009 (jamesr) | ||
| + Streamlined login functionality. 01/08/2009 (jamesr) | ||
|
|
||
| v1.0.4 (2009-06-29) | ||
| ====== | ||
|
|
||
| + Added acunetix scan report. 24/06/2009 | ||
| + All links use http://hiderefer.com to hide referrer header. 23/06/2009 | ||
| + Updated/added 'more info' links. 23/06/2009 | ||
| + Moved change log info to CHANGELOG.txt. 22/06/2009 | ||
| + Fixed the exec.php UTF-8 output. 16/06/2009 | ||
| + Moved Help/View source buttons to footer. 12/06/2009 | ||
| + Fixed phpInfo bug. 12/06/2009 | ||
| + Made dvwa IE friendly. 11/06/2009 | ||
| + Fixed html bugs. 11/06/2009 | ||
| + Added more info to about page. 03/06/2009 | ||
| + Added pictures for the users. 03/06/2009 | ||
| + Fixed typos on the welcome page. 03/06/2009 | ||
| + Improved README.txt and fixed typos. 03/06/2009 | ||
| + Made SQL injection possible in sqli_med.php. Thanks to Teodor Lupan. 03/06/2009 | ||
|
|
||
| v1.0.3 (2009-05-25) | ||
| ====== | ||
|
|
||
| + Changed XAMPP link in index.php. 25/05/2009 | ||
| + Set default security to low. 25/05/2009 | ||
| + Improved output in setup.php. 25/05/2009 | ||
|
|
||
| v1.0.2 (2009-05-24) | ||
| ====== | ||
|
|
||
| + Removed phpinfo on higher security levels. 24/05/2009 | ||
| + Moved all vulnerable code to /source/. 24/05/2009 | ||
| + Added viewsource. 24/05/2009 | ||
|
|
||
| v1.0.1 (2009-05-24) | ||
| ====== | ||
|
|
||
| + Implemented different security levels. 24/05/2009 | ||
| + Changed XSS from POST to GET. 22/05/2009 | ||
| + Some changes to CSS. 22/05/2009 | ||
| + Version number now in variable in header.php. 21/05/2009 | ||
| + Added about page. 21/05/2009 | ||
| + Updated login script to use database. 21/05/2009 | ||
| + Added admin user to database. 21/05/2009 | ||
| + Combined RFI + LFI to make 'File Inclusion'. 21/05/2009 | ||
| + More realism to Local File Inclusion. 21/05/2009 | ||
| + Better error output on upload script. 21/05/2009 | ||
|
|
||
| v1.0 (2009-05-20) | ||
| ==== | ||
|
|
||
| + Made command execution more realistic. 20/05/2009 | ||
| + Added help buttons. 20/05/2009 | ||
| + Added .htaccess file to turn magic quotes off. 20/05/2009 | ||
| + Improved database creation with setup.php. 19/05/2009 | ||
| + Amended installation instructions in README file. 19/05/2009 | ||
| + Added GNU GPL license. 19/05/2009 | ||
| + Added a robots.txt file with disallow all. 26/01/2009 | ||
| + Removed link to www.ethicalhacker.co.uk in footer. 26/01/2009 | ||
| + Added better error output on magic quotes. 26/01/2009 | ||
|
|
||
|
|
||
| Links | ||
| ===== | ||
|
|
||
| + Homepage: http://www.dvwa.co.uk | ||
| + Project Home: https://github.com/RandomStorm/DVWA | ||
|
|
||
| _Created by the DVWA team._ |
Oops, something went wrong.