hands-on lab

OWASP Exercises: Command Execution

Up to 1h
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


Operating system commands shouldn't be allowed using a web application that resides on a server. Sometimes, web applications are not as safe as they should be, and let users perform disallowed commands in an unexpected way.

In this lab, you will attempt a command execution attack through the DVWA (Damn Vulnerable Web Application) website to force the web server to execute operating system commands to read and display the contents of files and documents that reside outside of the web server's root hosting directory, and which normally should not be accessible from the web.

Learning Objectives

Upon completion of this lab you will be able to:

  • Manage the security level of a DVWA application in order to set it up to your requirements
  • Perform a Command Execution attack from a DVWA application

Intended Audience

This lab is intended for:

  • Individuals who want to learn how to execute command execution attacks
  • Security engineers who want to understand how to better protect their applications from command execution attacks
  • People who want to know how a command execution attack can be performed


This lab has no prerequisites.


September 21st, 2021 - Updated HyperV VMs to not used save state to avoid an issue with Azure VMs in the same SKU not all having the same processor features

September 7th, 2021 - Upgraded underlying disk, and Kali Hyper-V VM configuration for improved performance

August 30th, 2021 - Include Remote Desktop connection details for those preferring to use their local Remote Desktop client to connect

July 9th, 2020 - Enabled direct browser RDP connection for a streamlined experience

Environment before

Environment after

About the author

Richard Beck, opens in a new tab
Director of Cyber Security at QA
Learning paths

Richard Beck is Director of Cyber Security at QA. He works with customers to build effective and successful security training solutions tailored for business needs. Richard has over 15 years' experience in senior Information Security roles. Prior to QA, Richard was Head of Information Security for an organization that underpins 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in the Defence, Financial Services, and HMG. Richard sits on a number of security advisory panels and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). Richard is also a STEM Ambassador working to engage and enthuse young people in the area of cybersecurity. Providing a unique perspective on the world of cybersecurity to teachers and encourage young people to consider a career in cybersecurity.

Covered topics

Lab steps

Load the Virtual Machines (Kali & Metasploitable)
Navigate to the DVWA website
Conduct the Command Execution attack