The aim of this github repository is to provide the complete guide on cybersecurity.
Web Security is the branch of security which takes care of the protective measures and protocols which organizations adopt to protect the organization from, cyber criminals and threats that use the web channel. It is critical to business continuity and for protecting data, users and companies from risk.
The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. The Open Web Application Security Project provides free and open resources.
It is important that you get familiar with some basic concepts before proceeding with the web security. Here are some of the questions which one should know before they can start with this section.
- What is server and client?
- How websites are hosted?
- What are various programming language used?
- What is HTTP request and response?
Damn Vulnerable Web Application (DVWA) is the best place for begineers to start their journey with web security. DVWA is an open source lab which provides a vulnerable environment where learners can practice their skill which they learn from the concept above.
Note: For detailed installation, please refer to the github page of DVWA.
Let's start the apache2 and mysql server.
sudo service apache2 start
sudo service mysql startSetting up the DVWA.
cd /var/www/html
git clone https://github.com/digininja/DVWA.git
sudo chmod 777 DVWA
cd DVWA
sudo cp config.inc.php.dist config.inc.phpLet's create a sample database. We will start by logging in and then create database.
Note: If you are using Kali and have not changed password of `mysql` then it will have empty password, so just press enter when asked for password.
sudo mysql -u root -p
mysql> create database dvwa;
Query OK, 1 row affected (0.00 sec)
mysql> create user dvwa@localhost identified by 'p@ssw0rd';
Query OK, 0 rows affected (0.01 sec)
mysql> grant all on dvwa.* to dvwa@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit;Depending on your Operating System, as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.
- ./hackable/uploads/ - Needs to be writeable by the web service (for File Upload).
- ./external/phpids/0.6/lib/IDS/tmp/phpids_log.txt - Needs to be writable by the web service (if you wish to use PHPIDS).
allow_url_include = on - Allows for Remote File Inclusions (RFI) [allow_url_include]
allow_url_fopen = on - Allows for Remote File Inclusions (RFI) [allow_url_fopen]
safe_mode = off - (If PHP <= v5.4) Allows for SQL Injection (SQLi) [safe_mode]
magic_quotes_gpc = off - (If PHP <= v5.4) Allows for SQL Injection (SQLi) [magic_quotes_gpc]
display_errors = off - (Optional) Hides PHP warning messages to make it less verbose [display_errors]
File: config/config.inc.php:
$_DVWA[ 'recaptcha_public_key' ] & $_DVWA[ 'recaptcha_private_key' ] - These values need to be generated from: https://www.google.com/recaptcha/admin/create
Now visit `http://127.0.0.1/DVWA` on browser, and login with username `admin` and password as `password`.