Installing DVWA on a Virtual Machine for SQL Injection Practice

🌱 How to start this project?

This exercise aims to teach students how to identify and report an SQL injection vulnerability using the Damn Vulnerable Web Application (DVWA). The report should be made according to ISO 27001 standards for information security incident management.

Requirements

• VirtualBox installed on your computer.
• A Debian virtual machine installed in VirtualBox. (We will use the machine previously configured in earlier classes).

Benefits of Using a Virtual Machine

• Isolation: Keeps the testing environment separate from your main operating system, protecting it from potential damage.
• Ease of Restoration: You can create snapshots of your virtual machine and easily restore them if something goes wrong.
• Portability: You can easily move and share the virtual machine with others.

📝 Instructions

• Open this URL and fork the repository https://github.com/breatheco-de/incident-report-for-sql-injection-exercise-project

A new repository will be created in your account.

• Clone the newly created repository into your localhost computer.
• Once you have cloned successfully, follow the steps below carefully, one by one.

Step 1: Verify the Virtual Machine Setup Before Starting

• In the "Network" section, select "Bridge Adapter" so the VM is on the same network as your host.
• Verify the correct installation of MySQL (MariaDB), Apache, and PHP (LAMP Stack).
• Set the root password for MariaDB and configure the basic security.

Step 2: Installing and Configuring DVWA

• Download DVWA from the provided link:
• Configure DVWA Change to the DVWA directory and rename the configuration file

1cd DVWA/config 
2sudo cp config.inc.php.dist config.inc.php

• Edit the config.inc.php file to set the MariaDB credentials:

1sudo nano config.inc.php

💡 IMPORTANT: Ensure the following lines have the correct credentials:

• $_DVWA[ 'db_user' ] = 'root';
• $_DVWA[ 'db_password' ] = 'root_password';
• $_DVWA[ 'db_database' ] = 'dvwa';

• Configure the Database Log in to MariaDB and create the DVWA database

1sudo mysql -u root -p 
2CREATE DATABASE dvwa; 
3EXIT;

• Adjust Permissions

1sudo chown -R www-data:www-data /var/www/html/DVWA/
2sudo chmod -R 755 /var/www/html/DVWA/

• Open a browser in your VM and go to http://localhost/DVWA/setup.php
• Review the setup and click "Create / Reset Database".

Step 3: Conduct the SQL Injection Attack.

• Open a browser in the VM and go to http://localhost/DVWA.
• Log in to DVWA:

*Username: admin
*Password: password

• Set the Security Level Go to the "DVWA Security" tab and select the "Low" security level to facilitate exploitation.
• Execute the SQL Injection Go to the "SQL Injection" section in DVWA Enter a simple SQL injection attack in the provided "User ID" field, for example:

11' OR '1'='1

Click "Submit" and observe how DVWA processes the injection and displays the database results.

💡 NOTE: You should see a list of all users extracted from the database, indicating a successful SQL injection.

Step 4: Incident Report.

• Follow the Report Structure
  • Report Title
  • Introduction
  • Incident Description
  • Reproduction Process
  • Incident Impact
  • Recommendations
  • Conclusion

💡 NOTE: Incident reports according to ISO 27001 standards do not specifically require the inclusion of images unless they are necessary to illustrate critical points or specific technical details of the incident. However, in most cases, reports often include screenshots, charts, or diagrams only if they are relevant to support the explanation of the incident or to demonstrate how the vulnerability exploitation was carried out.

Download an example of an incident report

📝 Delivery

• At the root of the forked project, upload the report in .pdf format with the name incident-report.pdf