OWASP Exercises: Command Execution

Developed with

Lab Steps

Logging into the Microsoft Azure Portal
Connecting to the Lab Host Virtual Machine Using RDP
Load the Virtual Machines (Kali & Metasploitable)
Navigate to the DVWA website
Conduct the Command Execution attack

Ready for the real environment experience?

Time Limit1h
star star star star star


Operating system commands shouldn't be allowed using a web application that resides on a server. Sometimes, web applications are not as safe as they should be, and let users perform disallowed commands in an unexpected way.

In this lab, you will attempt a command execution attack through the DVWA (Damn Vulnerable Web Application) website to force the web server to execute operating system commands to read and display the contents of files and documents that reside outside of the web server's root hosting directory, and which normally should not be accessible from the web.

Learning Objectives

Upon completion of this lab you will be able to:

  • Manage the security level of a DVWA application in order to set it up to your requirements
  • Perform a Command Execution attack from a DVWA application

Intended Audience

This lab is intended for:

  • Individuals who want to learn how to execute command execution attacks
  • Security engineers who want to understand how to better protect their applications from command execution attacks
  • People who want to know how a command execution attack can be performed


This lab has no prerequisites.

Environment before
Environment after

About the Author

Richard Beck is Head of Cyber Security at QA, responsible for the entire Cyber Security portfolio. He works with customers to build effective and successful security training solutions tailored to business needs. Richard has over 10 years' experience in senior Information Security roles. Prior to QA, Richard was Head of Information Security for four years at Arqiva, which underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts at CPP, GEC, Pearson and the Royal Air Force. Richard sits on the IBM European Board of Security Advisors and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI).