DVWA: v1.9

DVWA 1.9 –  New Features & Fixes

• Added a dedicated objective (or “flag”) for file include.
• Added a warning to any module that requires a certain configuration.
• Added comments to all source code that would be visible via DVWA modules.
• Added CSRF token to pre-auth forms (login/setup/security pages).
• Added HttpOnly cookie flag on impossible levels.
• Added more detail to the documentation.
• Added PDO to all impossible levels requiring MySQL.
• Added PHPIDS options into the config file.
• Added system check to setup.
• Added various information to all help pages for every module.
• Changed brute force medium to be harder due to sleep.
• Changed file include landing page + added 3x example pages.
• Changed file include medium to be harder due to more filters.
• Changed HTTP REFERER check for medium level CSRF.
• Changed input box for medium level with SQLi + SQLi Blind.
• Changed SQLi + SQLi Blind to be $_POST rather than $_GET.
• Changed SQLi Blind to be a real example of the vulnerability.
• Fixed brute force and file upload impossible levels, as they were vulnerable.
• Fixed bug with file fnclude page not loading.
• Fixed CAPTCHA bug to read URL parameters on impossible.
• Fixed CAPTCHA bug where the form wouldn’t be visible.
• Fixed CAPTCHA bug where the URL parameters were not being used for low + medium.
• Fixed CSRF medium level bug when not on localhost.
• Fixed setup bug with custom URL path.
• Removed PostgreSQL DB support.
• Renamed ‘Command Execution’ to ‘Command Injection’.
• Renamed ‘high’ level to ‘impossible’ and created new vectors for ‘high’.
• Updated README and documentation.
• Various code cleanups in the core PHP files+CSS.
• Various setup improvements (e.g. redirection + limited menu links).