Skip to content

monxcode/vulnerability-research

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
poc
poc
 
 
reports
reports
 
 
README.md
README.md
 
 

Repository files navigation

INTERNSHIP PROJECT [02]

DVWA Web Application Vulnerability Research & Reporting

Organization: Cryptonic Area
Duration: 9 - 18 February 2026

1. Executive Summary

This project is part of the Cyber Security & Ethical Hacking Research Module (v2026.02).

A manual security assessment was performed on Damn Vulnerable Web Application (DVWA) in a controlled Kali Linux lab environment.

The objective was to identify, exploit, analyze, and document web application vulnerabilities aligned with OWASP Top 10 categories.

2. Target Environment

Component Details
Application Damn Vulnerable Web Application (DVWA)
Platform Kali Linux
Hosting Localhost
Security Level Low
Testing Type Manual Penetration Testing
Reference Standard OWASP Top 10

3. Project Objectives

Objective ID Objective Description
OBJ-01 Identify web application vulnerabilities
OBJ-02 Exploit vulnerabilities in controlled environment
OBJ-03 Capture Proof-of-Concept evidence
OBJ-04 Perform impact analysis
OBJ-05 Classify severity level
OBJ-06 Suggest remediation strategies

4. Project Structure

DVWA-Pentest-Project/
│
├── README.md
│
├── poc/
│   ├── Brute-Force.png
│   ├── Weak-Password.png
│   ├── XSS-Reflected.png
│   ├── XSS-Stored.png
│   ├── command.png
│   └── sql-injection.png
│
└── reports/
    ├── Brute-Force.md
    ├── Command-Injection.md
    ├── Final-Summary.md
    ├── SQL-injection.md
    ├── XSS-Reflected.md
    ├── XSS-Stored.md
    └── weak-password-authentication.md

5. Vulnerability Summary Table

ID Vulnerability OWASP Category Severity Exploitable Risk Impact
V-01 SQL Injection Injection Critical Yes Database Compromise
V-02 Command Injection Injection Critical Yes Remote Code Execution
V-03 Stored XSS Cross-Site Scripting High Yes Persistent Script Execution
V-04 Reflected XSS Cross-Site Scripting Medium Yes Session Hijacking
V-05 Brute Force Authentication Failures High Yes Account Takeover
V-06 Weak Password Authentication Authentication Failures High Yes Increased Attack Success Rate

6. Detailed Vulnerability Breakdown

🔴 V-01: SQL Injection

📄 View Report
SQL Injection PoC

Attribute Details
Severity Critical
Attack Type Injection
Impact Unauthorized database access
Risk Data leakage, authentication bypass

🔴 V-02: Command Injection

📄 View Report
Command Injection PoC

Attribute Details
Severity Critical
Attack Type OS Command Injection
Impact Remote command execution
Risk Full system compromise

🟠 V-03: Stored XSS

📄 View Report
Stored XSS PoC

Attribute Details
Severity High
Attack Type Persistent XSS
Impact Malicious script execution
Risk Session hijacking, credential theft

🟡 V-04: Reflected XSS

📄 View Report
Reflected XSS PoC

Attribute Details
Severity Medium
Attack Type Reflected XSS
Impact Requires victim interaction
Risk Social engineering exploitation

🟠 V-05: Brute Force

📄 View Report
Brute Force PoC

Attribute Details
Severity High
Attack Type Credential Guessing
Impact Account takeover
Risk Unauthorized admin access

🟠 V-06: Weak Password Authentication

📄 View Report
Weak Password PoC

Attribute Details
Severity High
Attack Type Weak Credential Policy
Impact Increased brute-force success
Risk Authentication bypass

7. Severity Classification Matrix

Severity Level Description Example
Critical Direct system/database compromise SQL Injection
High Authentication bypass or persistent exploitation Stored XSS
Medium Requires user interaction Reflected XSS

8. Security Weakness Observed

Security Control Status
Input Validation Not Implemented
Output Encoding Not Implemented
Password Complexity Not Enforced
Account Lockout Not Implemented
Rate Limiting Not Implemented
Secure Coding Practices Weak

9. Skills Demonstrated

Skill Category Description
Web Security Testing Manual exploitation techniques
Vulnerability Research Identifying root causes
Risk Assessment Severity classification
Documentation Professional reporting
Authentication Analysis Password & brute-force testing

10. Conclusion

This project demonstrates hands-on experience in web application security assessment and professional vulnerability reporting.

The assessment highlights the importance of:

  • Secure input handling
  • Strong authentication mechanisms
  • Secure coding practices
  • Regular security testing

11. Risk Scoring (CVSS-Like Assessment)

To better quantify the security impact, a CVSS-inspired risk scoring model was applied based on:

  • Attack Vector
  • Attack Complexity
  • Privileges Required
  • User Interaction
  • Impact on Confidentiality, Integrity, Availability
ID Vulnerability Severity Likelihood (1–5) Impact (1–5) Risk Score (L×I) Risk Level
V-01 SQL Injection Critical 5 5 25 Critical
V-02 Command Injection Critical 5 5 25 Critical
V-03 Stored XSS High 4 4 16 High
V-04 Reflected XSS Medium 3 3 9 Medium
V-05 Brute Force High 4 4 16 High
V-06 Weak Password Authentication High 5 4 20 High

Risk Level Interpretation

Score Range Risk Level
20–25 Critical
15–19 High
8–14 Medium
1–7 Low

12. Attack Flow Diagram (High-Level Representation)

Below is a simplified attack flow illustrating how vulnerabilities were exploited during testing:

Attacker
   │
   ├──> Identify Input Field
   │
   ├──> Craft Malicious Payload
   │
   ├──> Submit Payload to Application
   │
   ├──> Application Processes Without Validation
   │
   ├──> Vulnerability Triggered
   │
   ├──> Unauthorized Access / Code Execution / Data Exposure
   │
   └──> Capture Proof-of-Concept Evidence

Example – SQL Injection Flow

User Input → Unsanitized Query → Database Execution → Data Disclosure

Example – Brute Force Flow

Login Form → Unlimited Attempts → Weak Password Accepted → Account Compromise

13. Security Maturity Assessment

A high-level security maturity evaluation was performed based on observed controls.

Security Domain Status Maturity Level
Input Validation Not Implemented Very Low
Output Encoding Not Implemented Very Low
Authentication Controls Weak Low
Password Policy Not Enforced Very Low
Rate Limiting Not Implemented Very Low
Secure Coding Practices Poor Low
Monitoring & Logging Minimal Low

Overall Security Maturity: 🔴 Very Low

The application under Low configuration lacks fundamental defensive controls, making exploitation straightforward.

14. Research Portfolio Series

This project is part of an ongoing structured cybersecurity research portfolio.

Project ID Title Focus Area Status
Project 01 Linux Fundamentals & Security Basics System Security Completed
Project 02 DVWA Vulnerability Research & Reporting Web Application Security Completed
Project 03 Network Scanning & Enumeration Lab Network Security Planned
Project 04 Secure Coding & Defensive Controls Application Security Upcoming

Portfolio Objective

The goal of this research series is to:

  • Build practical cybersecurity expertise
  • Develop structured vulnerability assessment methodology
  • Strengthen professional reporting skills
  • Demonstrate hands-on experience aligned with industry standards

DVWA Installation Steps (Kali Linux)

Install

sudo apt update
sudo apt install dvwa

Start

start-dvwa

Stop

close-dvwa

Open browser:

http://localhost/dvwa

Author

Mohan Singh Parmar
Cyber Security & Ethical Hacking Research – 2026

About

Hands-on web app security research with DVWA, including vulnerabilities, PoC, and risk analysis.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors