Laboratory Exercise: Cyber Basics – Web App Penetration Security: Command Injection Lab Updated!

This introductory lab has students using simple command injection to attempt to gain unauthorized access to data on an intentionally vulnerable web server. The lab document includes a brief primer on command injection and an introduction to DVWA and its command injection tab so students can use command injection to answer a series of lab questions.

Faculty Instructions

Resources required

This exercise requires two virtual machines (VMs) running in the Virginia Cyber Range.

This lab exercise requires an account on The Range.  To sign up for an account on The Range, please visit our Sign-Up page.  Your students will also require an account on the Virginia Cyber Range; this will be explained in the setup of your course.

For this lab, we will use an intentionally vulnerable web application called DVWA (Damn Vulnerable Web Application, available from http://www.dvwa.co.uk/). DVWA is a teaching tool to help students and system administrators understand common web application flaws that lead to compromise, as well as basic techniques that can be used to help secure these apps.

Virtual Environment: The environment for this lab contains two virtual machines (VMs) in a single subnet: one Kali Linux VM, plus a VM hosting DVWA, an intentionally vulnerable suite of web applications used to teach web application penetration testing and defenses. This exercise can also use the full four VM environment used for the Cyber Basics – Reconnaissance and Network Scanning Lab.

Cyber Basics – Web App Penetration Security: Command Injection Lab Handout

Log In
to download materials

* NICE Cybersecurity Workforce Framework KSAs Addressed
  • K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • K0111: Knowledge of common network tools (e.g., ping, traceroute, nslookup) and interpret the information results.
  • K0119: Knowledge of hacking methodologies in Windows or Unix/Linux environment.
  • K0129: Knowledge of Unix command line (e.g., mkdir, mv, ls, passwd, grep).
  • K0307: Knowledge of common network tools (e.g., ping, traceroute, nslookup).
  • K0342: Knowledge of penetration testing principles, tools, and techniques.
  • S0051: Skill in the use of penetration testing tools and techniques.
  • A0055: Ability to operate common network tools (e.g., ping, traceroute, nslookup).
* NSA/DHS Center of Excellence (CAE) KUs Addressed
  • Penetration Testing (PTT)

* Most courseware content maps to NIST NICE Cybersecurity Workforce Framework (NCWF) Knowledge, Skills, and Abilities (KSAs) and/or NSA/DHS CAE Knowledge Units (KUs). For more information on KSAs and KUs, please visit:

KSAs: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

KUs: https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_2019_Knowledge_Units.pdf