alfarom256
commented
1 year ago Holy shit, what a read. Thank you for your sacrifice.
Open silversub opened 1 year ago
alfarom256
commented
1 year ago Holy shit, what a read. Thank you for your sacrifice.
Souhardya
commented
1 year ago Ride wife ? Life good Wife gone ? Regret
mr-manj
commented
1 year ago hope you soon get back on your feet, next time try using "OWASP Juice Shop" I heard it is next cool thing!
Thank you for bringing this to my attention. I was just leaving work after my 100th straight day supporting yet another ransomware attack. I saw your reported CVE and my jaw literally dropped to the floor.
This whole time I had assumed we were running Damn VERSATILE Web Application. Your CVE has shown me that we were wrong. Very wrong.
I’ve been running DVWA (the V stands for vulnerable for anyone else running under the same false assumptions that I was) in production for you guessed it… 100 days.
I even pitched clients on the versatile part. Whenever they questioned why their customer data repeatedly showed up on the dark web, I reassured them that we were running the most VERSATILE web application available.
My best SOC analysts couldn’t even solve it. One of them got close one day and asked “Boss, I’m pretty sure we’re running an application called Damn Vulnerable Web Application that has hundreds of vulnerabilities built in.”
“Impossible” I replied. “We’re running the latest version of DVWA, correct?”
“Well of course sir, but —“
“That’s enough!” I snapped back. “I’ve looked at NIST’s website for DVWA and there are NO CVEs. You must be mistaken. Now go check DNS. I’ve heard it’s always DNS.”
Several days later I fired that analyst. I figured insider threat. I fired a lot of good men. I became quite paranoid.
Things got so bad I abandoned my wife when I caught her catching a reverse shell from DVWA. She claimed she was “practicing” her web app testing skills. Considering DVWA had no known CVEs at the time, I had no choice but to assume she was an advanced persistent threat actor utilizing nation-state zero days (say that 5 times fast).
I see some chatter that there may be other vulnerabilities in DVWA. I beg of you. Please uncover these. While it’s too late for me as I’ve lost everything (my family and thousands upon thousands of customer records). I can only hope your work will save others running DVWA in front of their client’s sensitive workloads.
EDIT: I've noticed NIST has now rejected this CVE. I am speechless. If anyone from NVD is reading this message, I beg of you to reconsider. How many more people running DVWA are meant to suffer?