This project looks great :)
Any chance of creating a docker image for it? That would make it much easier to install.
I've started a collection of vuln apps: https://hub.docker.com/u/owaspvwad/ so v happy to add it there.

The change password function in csrf.php does not actually check the username or if a valid session has been established. It always returns 'Password changed successfully.' I would also rename it to cswsh.php as it is Cross-Site WebSocket Hijacking.

Many Websocket applications implements heartbeat messages, called PING/PONG, to keep websocket connection alive.

It will be great if DVWS has an option to add heartbeat messages. That will help testing manual established websocket connections from proxies like ZAP. In order to achieve that, we could use some parameters at ws-socket.php. An example:

ws-socket.php --heartbeat--intervel <ms> --heartbeat-time <ms> 

I have being trying to implement that but i am not so familiar with javascript/php.

Thank you :)

I tried to install DVWS and everything seems to working, but the DB depending exercises don't work.

What I have tried so far:

• create DB both as root and dedicated user
• verified existence DB with mysqlshow
• created tables via setup in DVWS; appears to be working

However, when I e.g. try stored XSS the Firefox console tells me the server closes the connection because the path can't be found.

Exercises not depending on DB work fine (e.g. command injection and reflected XSS).

Any ideas?

environment => Windows 10, XAMPP (PHP 7)

initially

after starting ws-socket.php with administrator privilege

After changing line 24 of CommandExecution.php to $reply_data = shell_exec('ping '.$msg);

everything is working fine.

command injection is also working fine

I tried to set up the environment in multiple ways.

1. installed XAMPP Version 7.2.2, cloned the project folder into D:\xampp\htdocs, started Apache and MySQL service from XAMPP control panel, created a db called dvws_db, configured the connect-db.php file in D:\xampp\htdocs\DVWS\includes
2. opened the project in IntelliJ IDEA 2017.3.5 (Ultimate edition), configured the built-in PHP web server, started MySQL service using XAMPP
3. used docker image following this guide (https://hub.docker.com/r/tssoffsec/dvws/)

In all situations, I was able to access the application using a browser and db connection was successful

However, whenever I click a submit button(in any page) I get an error. For example after clicking login button in brute-force page in chrome

after clicking login button in brute-force page in firefox

I found a similar problem is addressed in ratchetphp/Ratchet#481
I am not familiar with javascript development, to check I tried to change the relevant code into this

I got the following error after changing

Please look into this.