DVWA

Intro Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. In this writeup, I will be exploiting DVWA vulnerabilities in different severities. Setup docker run --rm -it -p 8000:80 kaakaww/dvwa-docker:latest Walkthrough 1. I found a login page after opening the site. Bruteforce Password 1. Capture login & analyze behavior username=admin&password=zap&Login=Login&user_token=6cd51b8a24a524b9349dd75c09c0cfb3 2. Reflecting Login failed after incorrect creds 3. To automatically handle CSRF Tokens ZAP -> Tools -> Options -> Anti-CSRF -> Add `user_token` 4....