OWASP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication. The flow of the application is similar to DVWA. You will find more vulnerabilities than the ones listed in the application.
In the hosts file of your attacker machine create an entry for dvws.local to point at the IP address hosting the DVWS application.
Location of hosts file:
Windows: C:\windows\System32\drivers\etc\hosts
Linux: /etc/hosts
Sample entry for hosts file:
192.168.100.199 dvws.local
The application requires the following:
Apache + PHP + MySQL
PHP with MySQLi support
Install "Ratchet" and "ReactPHP-MySQL" using composer:
git clone https://github.com/interference-security/DVWS
cd DVWS
composer install
docker build -t dvws .
# For connecting with existing database
docker run -it \
--name DVWS \
-p 8080:8080 -p 8888:8888 \
-e "DB_HOST=db" \
-e "DB_USER=dvws" \
-e "DB_PASSWORD=DVWS" \
-e "DB_DATABASE=dvws" \
--restart always \
dvws
# or use docker-compose
docker-compose upVisit http://localhost:8080/setup.php for getting started
Set the MySQL hostname, username, password and an existing database name in the includes/connect-db.php file then go to Setup to finish setting up DVWS.
On the host running this application, run the following command from DVWS directory: php ws-socket.php --heartbeat-interval <seconds>
Example: php ws-socket.php --heartbeat-interval 10
DVWS has been developed with limited knowledge of Web Sockets. Feel free to contribute and enhance this project.
