.png){kind=link}
.png){kind=link}
.png){kind=link}
Author: Arathi Shekhar Munavalli Internship: Alfido Tech Date: 04 April 2026
As part of this task, a web application security testing activity was carried out on a locally hosted vulnerable web application. The aim was to understand how real-world web vulnerabilities are identified and exploited using standard security tools.
The target used for this assessment is an intentionally vulnerable application designed for safe practice.
- Target: DVWA (Damn Vulnerable Web Application)
- URL: http://localhost/dvwa
- Platform: Windows (XAMPP – Apache + MySQL)
- Security Level: Low
The following tools were used during the assessment:
- DVWA – intentionally vulnerable web application for safe practice
- XAMPP – local web server environment (Apache + MySQL)
- Burp Suite Community Edition – for intercepting and analyzing HTTP requests
The task was completed in three stages:
-
Environment Setup DVWA was installed and configured on a local Windows machine using XAMPP. Security level was set to Low to allow vulnerability testing.
-
Vulnerability Testing Two major vulnerabilities were tested — Cross-Site Scripting (XSS) and SQL Injection — using crafted payloads in the input fields of DVWA.
-
Traffic Analysis Burp Suite was used to intercept and inspect the HTTP requests made during the testing process.
- Module: XSS (Reflected) in DVWA
- Payload Used:
<script>alert('XSS')</script> - Result: Alert popup appeared in the browser — vulnerability confirmed
- Module: SQL Injection in DVWA
- Payload Used:
1' OR '1'='1 - Result: All user records from the database were exposed — vulnerability confirmed
The testing revealed the following security concerns:
- User input is not sanitized or validated before processing
- SQL queries are built directly using user input without parameterization
- JavaScript can be injected and executed through input fields
- No Content Security Policy (CSP) headers are configured
- Database errors and sensitive data are exposed to the user
- Critical Risk: SQL Injection – full database access possible
- High Risk: Cross-Site Scripting – session hijacking and data theft possible
- Medium Risk: Missing security headers and no input validation
Based on the findings, the following steps are suggested:
- Use prepared statements and parameterized queries to prevent SQL Injection
- Sanitize and encode all user inputs before rendering them in the browser
- Implement Content Security Policy (CSP) headers
- Validate input on both client and server side
- Never display raw database errors to end users
- Use a Web Application Firewall (WAF) for additional protection
This exercise demonstrates how basic web application vulnerabilities like XSS and SQL Injection can be easily exploited when proper security practices are not followed. While the target used here is intentionally vulnerable and meant for learning, similar issues in real-world applications can lead to serious data breaches and system compromise.
Regular security testing, proper input validation, and secure coding practices are essential for maintaining web application security.
This assessment was performed only on a locally hosted intentionally vulnerable application (DVWA) for educational purposes as part of the Alfido Tech Cybersecurity Internship program.