Learning Hub / Target Machines / Web Application Targets

Web Application Targets

Section 3.1 Difficulty: Beginner → Intermediate

Most of the internet is web applications — and so are most real-world breaches. Learning to test web apps safely is one of the most valuable skills you can build. This sub-section uses DVWA, the Damn Vulnerable Web Application.

What you'll achieve here: a running DVWA instance on your lab network, and an understanding of the vulnerability classes you can practise against it.

What is web application testing?

Web application testing focuses on the software that runs in your browser and on the server behind it — login forms, search boxes, file uploads, APIs. Instead of attacking the operating system directly, you abuse flaws in how the application handles input, sessions, and access.

Vulnerability classes you'll meet

DVWA is organised by vulnerability, mapping closely to the well-known OWASP Top 10:

VulnerabilityWhat it lets an attacker do
SQL InjectionRead or modify the database by injecting SQL through input fields.
Cross-Site Scripting (XSS)Run malicious JavaScript in another user's browser.
Command InjectionExecute operating-system commands on the server.
File UploadUpload a web shell to gain code execution.
Broken Access ControlAccess pages or data you shouldn't be able to.
CSRFTrick a logged-in user into performing unwanted actions.

Your Kali box already has the right tools for this: Burp Suite (intercepting proxy), SQLmap (automated SQL injection), and Nikto (web server scanning).

Continue