Web Application Targets
Most of the internet is web applications — and so are most real-world breaches. Learning to test web apps safely is one of the most valuable skills you can build. This sub-section uses DVWA, the Damn Vulnerable Web Application.
What you'll achieve here: a running DVWA instance on your lab network, and an understanding of the vulnerability classes you can practise against it.
What is web application testing?
Web application testing focuses on the software that runs in your browser and on the server behind it — login forms, search boxes, file uploads, APIs. Instead of attacking the operating system directly, you abuse flaws in how the application handles input, sessions, and access.
Vulnerability classes you'll meet
DVWA is organised by vulnerability, mapping closely to the well-known OWASP Top 10:
| Vulnerability | What it lets an attacker do |
|---|---|
| SQL Injection | Read or modify the database by injecting SQL through input fields. |
| Cross-Site Scripting (XSS) | Run malicious JavaScript in another user's browser. |
| Command Injection | Execute operating-system commands on the server. |
| File Upload | Upload a web shell to gain code execution. |
| Broken Access Control | Access pages or data you shouldn't be able to. |
| CSRF | Trick a logged-in user into performing unwanted actions. |
Your Kali box already has the right tools for this: Burp Suite (intercepting proxy), SQLmap (automated SQL injection), and Nikto (web server scanning).