DVWA Web Application Security Audit

📌 Overview

This project documents a full security assessment of the Damn Vulnerable Web Application (DVWA) in a controlled lab environment.
The goal was to simulate real-world penetration testing engagements, identify vulnerabilities, and provide actionable remediation steps.

🎯 Objectives

• Identify security vulnerabilities following the OWASP Top 10 methodology.
• Practice and demonstrate professional penetration testing skills.
• Produce a business-friendly audit report suitable for client deliverables.

🛠 Tools & Technologies

• OWASP ZAP – Automated and manual vulnerability scanning
• Burp Suite (Community Edition) – Intercepting proxy & manual exploitation
• Nmap – Network discovery and port scanning
• Nikto – Web server scanning
• Browser Developer Tools – Manual inspection and testing

🧪 Methodology

Testing followed a hybrid manual + automated approach:

1. Reconnaissance & Enumeration
2. Automated Scanning
3. Manual Exploitation
4. Proof of Concept Documentation
5. Remediation Recommendations

🔍 Key Findings (Examples)

• SQL Injection (Critical) – Login bypass using unsanitized input.
• Reflected XSS (High) – Arbitrary JavaScript execution via search parameter.
• Cross-Site Request Forgery (Medium) – Lack of CSRF tokens in sensitive requests.
• (Additional vulnerabilities included in the report.)

📄 Deliverables

• DVWA_Security_Audit_Report.pdf – Full consulting-style security report.
• /screenshots/ – Visual proof of exploitation.
• /tools_used.md – Detailed tool usage documentation.

📚 References

• OWASP Top 10 (2021)
• OWASP Cheat Sheet Series
• DVWA Official Repo

---

⚠ Disclaimer: This project was conducted in a local lab environment on an intentionally vulnerable application.
Do not attempt these techniques on systems without explicit authorization.