Achtung: Sie verwenden einen sehr alten Browser! Die Webseite sollte trotzdem funktionieren, aber mit einem neueren Browser wäre alles übersichtlicher und schöner!
Banner-Bild: Ditact Teilnehmerinnen

Kurs Online: Hack the heck out of this DamnVulnWebApp

An experimental introduction to web application security
Andrea Ida Malkah Klaura
Melanie Hosinner

Andrea Ida Malkah Klaura, Melanie Hosinner

The course teaches the basics of web application security, based on the most common vulnerabilities and practical examples provided by the Damn Vulnerable Web Application (

The general aim of this course is not only to create awareness for common security issues in web applications but also to experience this issues through hands-on experiments. This is accomplised through guided attempts of exploiting such common issues. Combined with a collective reflection how to also apply this knowledge to secure coding of web applications.

In particular the course has the following goals:

  • Improve the students understanding of web applications and web application security
  • Gain student self-confidence to apply web application security testing on their own and to pick up on skills and knowledge in regard to web application security.
  • Generate and increase awareness for common vulnerabilities, in order to also increase secure development capabilities.
  • Apply theoretical knowledge in a hands-on practical setting with realistic examples and scenarios.

Structure and method of the course:

We will start with an introduction of ourselves and the general outline of the course, as well as a round of introduction of the participants and what their specific interests in the topic and expectations towards the course are.

The main part of the course will be an iteration over the different categories of vulnerabilities in a sequence of three parts:

  • a short intro on the type of vulnerability by the lecturers
  • an extended hands-on sequence, where students try to hack into the DVWA by exploting this type of vulnerability
  • a collective reflection and discussion of potential solutions (to the hack as well as to securing against this type of vulnerability)

The course will be concluded with a general reflection on what students have learned and how and where they could continue their journey into web application security.



Participants do not need to be practiced web application developers, but they should have learned at least one programming language. An understanding for PHP, HTML, JavaScript and SQL are helpful in the particular hands-on exercises, but they are not necessary if one has a basic understanding of programming in general or practical experience e.g. with Python, Java, C/C++, etc.

A basic understanding of web applications is also helpful, but not necessary. We will provide a short intro on what makes web applications specific as a category of software.

Participants should attend on their own computer. We do not recommend attending with a smart phone or tablet, as the hands-on exercises are tailored towards desktop use. The only thing you need is a generic web browser (e.g. Firefox or Chromium).

Test servers can be provided by the lecturers. But we recommend setting it up with VirtualBox or Docker locally, so that participants can continue with their journey on their own after the course. Ideally participants should also install the free Burp Suite Community Edition ( on their computer, or use Kali Linux (e.g. with VirtualBox). Instructions how to do so will be provided beforehand. Also an (optional) setup session will take place a few days before the course.

Geschlossene Veranstaltung

Nur für die angemeldeten Teilnehmerinnen