7.1 KiB
7.1 KiB
DAMN VULNERABLE WEB APPLICATION
v1.10 (*Not Yet Released)
- Improved IIS support. (@g0tmi1k)
- Improved setup system check. (@g0tmi1k)
v1.9 (2015-10-05)
- Added a dedicated objective (or "flag") for file include. (@g0tmi1k)
- Added a warning to any module that requires a certain configuration. (@g0tmi1k)
- Added comments to all source code that would be visible via DVWA modules. (@g0tmi1k)
- Added CSRF token to pre-auth forms (login/setup/security pages). (@g0tmi1k + @Shinkurt)
- Added HttpOnly cookie flag on impossible levels. (@g0tmi1k)
- Added more detail to the documentation. (@g0tmi1k)
- Added PDO to all impossible levels requiring MySQL. (@g0tmi1k)
- Added PHPIDS options into the config file. (@g0tmi1k)
- Added system check to setup. (@g0tmi1k)
- Added various information to all help pages for every module. (@g0tmi1k)
- Changed brute force medium to be harder due to sleep. (@g0tmi1k)
- Changed file include landing page + added 3x example pages. (@g0tmi1k)
- Changed file include medium to be harder due to more filters. (@g0tmi1k)
- Changed HTTP REFERER check for medium level CSRF. (@g0tmi1k)
- Changed input box for medium level with SQLi + SQLi Blind. (@g0tmi1k)
- Changed SQLi + SQLi Blind to be $_POST rather than $_GET. (@g0tmi1k)
- Changed SQLi Blind to be a real example of the vulnerability. (@g0tmi1k)
- Fixed brute force and file upload impossible levels, as they were vulnerable. (@g0tmi1k + @Shinkurt)
- Fixed bug with file fnclude page not loading. (@g0tmi1k)
- Fixed CAPTCHA bug to read URL parameters on impossible. (@g0tmi1k)
- Fixed CAPTCHA bug where the form wouldn't be visible. (@g0tmi1k)
- Fixed CAPTCHA bug where the URL parameters were not being used for low + medium. (@g0tmi1k)
- Fixed CSRF medium level bug when not on localhost. (@g0tmi1k)
- Fixed setup bug with custom URL path. (@g0tmi1k)
- Removed PostgreSQL DB support. (@g0tmi1k)
- Renamed 'Command Execution' to 'Command Injection'. (@g0tmi1k)
- Renamed 'high' level to 'impossible' and created new vectors for 'high'. (@g0tmi1k)
- Updated README and documentation. (@g0tmi1k)
- Various code cleanups in the core PHP files + CSS. (@g0tmi1k)
- Various setup improvements (e.g. redirection + limited menu links). (@g0tmi1k)
v1.8 (2013-05-01)
- Versioning change: Version numbers now follow Major.Minor (e.g. v1.8) removing the middle digit.
- Moved default security level setting to the config file.
- Fixed a bug which prevented setup when a database name other than 'dvwa' was used.
- Added a logic challenge involving an insecure CAPTCHA (requires external internet access)
v1.0.7 (2010-09-08)
- Re-designed the login page + made some other slight cosmetic changes. 06/06/2010 (@ethicalhack3r)
- Started PostgreSQL implementation. 15/03/2010 (@ethicalhack3r)
- A few small cosmetic changes. 15/03/2010 (@ethicalhack3r)
- Improved the help information and look. 15/03/2010 (@ethicalhack3r)
- Fixed a few bugs thanks to @Digininja. 15/03/2010 (@ethicalhack3r)
- Show logged in username. 05/02/2010 (Jason Jones)
- Added new info on RandomStorm. 04/02/2010 (@ethicalhack3r)
- Added 'SQL Injection (Blind)'. 04/02/2010 (@ethicalhack3r)
- Added official documentation. 21/11/2009 (@ethicalhack3r)
- Implemented view all source functionality. 16/10/2009 (tmacuk, craig, @ethicalhack3r)
v1.0.6 (2009-10-05)
- Fixed a bug where the logo would not show on first time use. 03/09/2009 (@ethicalhack3r)
- Removed 'current password' input box for low+med CSRF security. 03/09/2009 (@ethicalhack3r)
- Added an article which was written for OWASP Turkey. 03/10/2009 (@ethicalhack3r)
- Added more toubleshooting information. 02/10/2009 (@ethicalhack3r)
- Stored XSS high now sanitises output. 02/10/2009 (@ethicalhack3r)
- Fixed a 'bug' in XSS stored low which made it not vulnerable. 02/10/2009 (@ethicalhack3r)
- Rewritten command execution high to use a whitelist. 30/09/09 (@ethicalhack3r)
- Fixed a command execution vulnerability in exec high. 17/09/09 (@ethicalhack3r)
- Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (@ethicalhack3r)
- Added the upload directory to the upload help. 17/09/09 (@ethicalhack3r)
v1.0.5 (2009-09-03)
- Made IE friendly as much as possible. 30/08/2009 (@ethicalhack3r)
- Removed the acunetix scan report. 30/08/2009 (@ethicalhack3r)
- Added 'Clear Log' button to PHPIDS parser. 27/08/2009 (@ethicalhack3r)
- Implemented PHPIDS log parser. 27/08/2009 (@ethicalhack3r)
- Implemented Stored XSS vulnerability. 27/08/2009 (@ethicalhack3r)
- Added htaccess rule for localhost access only. 22/08/2009 (@ethicalhack3r)
- Added CSRF. 01/08/2009 (@ethicalhack3r)
- Implemented sessions/login. 01/08/2009 (@ethicalhack3r)
- Complete recode. (jamesr)
- Complete redesign. (jamesr)
- Delimited 'dvwa' in session- minimising the risk of clash with other projects running on localhost. 01/08/2009 (jamesr)
- Integrated PHPIDS v0.6. 01/08/2009 (jamesr)
- Streamlined login functionality. 01/08/2009 (jamesr)
v1.0.4 (2009-06-29)
- Added acunetix scan report. 24/06/2009
- All links use http://hiderefer.com to hide referrer header. 23/06/2009
- Updated/added 'more info' links. 23/06/2009
- Moved change log info to CHANGELOG.txt. 22/06/2009
- Fixed the exec.php UTF-8 output. 16/06/2009
- Moved Help/View source buttons to footer. 12/06/2009
- Fixed phpInfo bug. 12/06/2009
- Made dvwa IE friendly. 11/06/2009
- Fixed html bugs. 11/06/2009
- Added more info to about page. 03/06/2009
- Added pictures for the users. 03/06/2009
- Fixed typos on the welcome page. 03/06/2009
- Improved README.txt and fixed typos. 03/06/2009
- Made SQL injection possible in sqli_med.php. Thanks to Teodor Lupan. 03/06/2009
v1.0.3 (2009-05-25)
- Changed XAMPP link in index.php. 25/05/2009
- Set default security to low. 25/05/2009
- Improved output in setup.php. 25/05/2009
v1.0.2 (2009-05-24)
- Removed phpinfo on higher security levels. 24/05/2009
- Moved all vulnerable code to /source/. 24/05/2009
- Added viewsource. 24/05/2009
v1.0.1 (2009-05-24)
- Implemented different security levels. 24/05/2009
- Changed XSS from POST to GET. 22/05/2009
- Some changes to CSS. 22/05/2009
- Version number now in variable in header.php. 21/05/2009
- Added about page. 21/05/2009
- Updated login script to use database. 21/05/2009
- Added admin user to database. 21/05/2009
- Combined RFI + LFI to make 'File Inclusion'. 21/05/2009
- More realism to Local File Inclusion. 21/05/2009
- Better error output on upload script. 21/05/2009
v1.0 (2009-05-20)
- Made command execution more realistic. 20/05/2009
- Added help buttons. 20/05/2009
- Added .htaccess file to turn magic quotes off. 20/05/2009
- Improved database creation with setup.php. 19/05/2009
- Amended installation instructions in README file. 19/05/2009
- Added GNU GPL license. 19/05/2009
- Added a robots.txt file with disallow all. 26/01/2009
- Removed link to www.ethicalhacker.co.uk in footer. 26/01/2009
- Added better error output on magic quotes. 26/01/2009
Links
- Homepage: http://www.dvwa.co.uk
Created by the DVWA team.