Today I have been using the Damn Vulnerable Web App in conjunction with Burpsuite and sqlmap, two key tools that are part of the Kali Linux distribution.
The DVWA is a comprehensive testing area that you can install on your own machine and attack with whichever tools you feel are fit for purpose. Today, I used Burpsuite to intercept some browser messages, pulling the PHPSESSID out of the network traffic, then I’ve used sqlmap to interrogate the databases (there’s 4 in DVWA) revleaing their table and column structure.
The aim of the DVWA exercises are set out in each area of the application. I’m supposed to using SQLi techniques to gather information that should be secure. I’ll get on with that tomorrow – right now, I’m enjoying exploring the options available to sqlmap which will certainly be of use in the future.