This project demonstrates the deployment of the Damn Vulnerable Web Application (DVWA) on a local Kubernetes cluster using Minikube. DVWA is a deliberately insecure web application designed for learning and practicing web security testing.
The setup uses Kubernetes to deploy two core components:
- MySQL Database – stores user and application data.
- DVWA Web Application – provides vulnerable web interfaces for testing attacks.
The goal is to simulate a real-world containerized environment and explore how common web vulnerabilities behave within a Kubernetes setup.
- Minikube – local Kubernetes cluster
- Docker – container runtime
- kubectl – cluster management
- DVWA & MySQL images – from Docker Hub
# Start local Kubernetes cluster
minikube start --driver=docker
# Apply manifests
kubectl apply -f mysql-deployment.yaml
kubectl apply -f dvwa-configmap.yaml
kubectl apply -f dvwa-deployment.yaml
# Check pod and service status
kubectl get pods
kubectl get svc
# Get the Minikube IP and access DVWA
minikube ip
# → Open in browser: http://<minikube-ip>:30080/- Description: Injecting malicious SQL queries to bypass authentication or retrieve data.
- Example Payload:
' OR '1'='1 - Result: Displays all user data due to improper query sanitization.
- Description: Running system commands through unsanitized input fields.
- Example Payload:
127.0.0.1; ls -la - Result: Executes OS commands on the server.
- Description: Injecting malicious scripts that run in other users’ browsers.
- Example Payload:
<script>alert('XSS')</script> - Result: Displays an alert popup, proving script execution.
Screenshots and HTML evidence of each attack are included in the evidence/ folder.
manifests/ → Kubernetes YAML files for DVWA and MySQL
evidence/ → Screenshots, logs, and HTML snapshots
commands_used.txt → All shell commands executed
README.md → Project documentation
After testing, delete all resources and stop the cluster:
kubectl delete -f dvwa-deployment.yaml
kubectl delete -f dvwa-configmap.yaml
kubectl delete -f mysql-deployment.yaml
minikube stop
minikube deleteThis project is for educational and cybersecurity training purposes only. All testing was performed in a local, isolated environment. Do not deploy DVWA or similar vulnerable apps on public servers.