VWA is a web application developed to help the pentester and programmers to learn the vulnerabilities that often occur in web applications which is developed using golang.
First, in order to ensure the downloads are valid, add the GPG key for the official Docker repository to your system:
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
Add the Docker repository to APT sources:
$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
Next, update the package database with the Docker packages from the newly added repo:
$ sudo apt-get update
Finally, install Docker:
$ sudo apt-get install -y docker-ce
Docker should now be installed, the daemon started, and the process enabled to start on boot. Check that it's running:
$ sudo systemctl status docker
Output
docker.service - Docker Application Container Engine
Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-01-23 20:28:23 UTC; 35s ago
Docs: https://docs.docker.com
Main PID: 13412 (dockerd)
CGroup: /system.slice/docker.service
├─13412 /usr/bin/dockerd -H fd://
└─13421 docker-containerd --config /var/run/docker/containerd/containerd.toml
Error Output when running docker without sudo:
docker: Cannot connect to the Docker daemon. Is the docker daemon running on this host?.
See 'docker run --help'.
If you want to avoid typing sudo whenever you run the docker command, add your username to the docker group:
$ sudo usermod -aG docker ${USER}
To apply the new group membership, you can log out of the server and back in, or you can type the following
$ su - ${USER}
You will be prompted to enter your user's password to continue. Afterwards, you can confirm that your user is now added to the docker group by typing:
$ id -nG
Output
yourusername sudo docker
We'll check the current release and if necessary, update it in the command below:
$ sudo curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
Next we'll set the permissions:
$ sudo chmod +x /usr/local/bin/docker-compose
Then we'll verify that the installation was successful by checking the version:
$ docker-compose --version
Clone this repository
$ git clone https://github.com/xCr00tz/vwa.git
Change Directory to vwa
$ cd vwa
Run docker compose
$ docker-compose up
password | |
---|---|
eko@gmail.com | testing |
andi@gmail.com | testing |
attacker@gmail.com | testing |
Explore the vulnerability. Read the simple pentest report on the folder report/, how can that vulnerability happen & how to mitigate this vulnerability to prevent and patch all vulnerability.
- Reflected & Stored XSS
- IDOR (Insecure Direct Object Reference)
- SQL Injection
- CSRF & Missing CORS Origin