Skip to content

Instantly share code, notes, and snippets.

@dsmabulage

dsmabulage/DVWA_reCAPTCHA_Configuration.md

Last active May 10, 2025 00:24
Show Gist options
  • Save dsmabulage/c4f8ab408025f575419112449cd9d2b1 to your computer and use it in GitHub Desktop.
Save dsmabulage/c4f8ab408025f575419112449cd9d2b1 to your computer and use it in GitHub Desktop.
Download ZIP
DVWA (Damn Vulnerable Web Application) is an intentionally vulnerable PHP/MySQL application for testing web security tools and techniques. By default, the reCAPTCHA fields in the configuration file are left empty, which prevents certain features (e.g., CAPTCHA on login) from functioning correctly. This guide demonstrates how to fix that by integ…
Raw
DVWA_reCAPTCHA_Configuration.md

Fixing reCAPTCHA Configuration in DVWA (Damn Vulnerable Web Application)

This guide walks you through resolving the reCAPTCHA vulnerability in DVWA by properly configuring the reCAPTCHA keys within a Dockerized environment.

πŸ› οΈ Description

DVWA (Damn Vulnerable Web Application) is an intentionally vulnerable PHP/MySQL application for testing web security tools and techniques. By default, the reCAPTCHA fields in the configuration file are left empty, which prevents certain features (e.g., CAPTCHA on login) from functioning correctly. This guide demonstrates how to fix that by integrating Google reCAPTCHA.

Prerequisites

To perform this check, your Kali machine must have internet access.

πŸ“Œ Steps to Fix reCAPTCHA Configuration

1. Generate Google reCAPTCHA v2 Keys

  • Visit: https://www.google.com/recaptcha/admin/create
  • Label: Choose a descriptive name (e.g., DVWA Local Test)
  • reCAPTCHA Type: Select Challenge v2 β†’ "I'm not a robot" Checkbox
  • Domains: Add localhost
  • Accept Terms of Service and submit.
  • Copy the Site Key (public) and Secret Key (private).

2. Access the Running DVWA Docker Container

  • Find the running container ID:

    docker ps
image

  • Access the container:

    docker exec -it <container_id> /bin/bash

3. Check Existing reCAPTCHA Key Values

Inside the container, run:

grep 'recaptcha' /var/www/html/config/config.inc.php

You will likely see:

$_DVWA[ 'recaptcha_public_key' ]  = '';
$_DVWA[ 'recaptcha_private_key' ] = '';

4. Replace with Your Actual reCAPTCHA Keys

Still inside the container, run:

sed -i "s|\$_DVWA\[ 'recaptcha_public_key' \]  = ''|\$_DVWA[ 'recaptcha_public_key' ]  = 'YOUR_PUBLIC_KEY'|g" /var/www/html/config/config.inc.php

sed -i "s|\$_DVWA\[ 'recaptcha_private_key' \] = ''|\$_DVWA[ 'recaptcha_private_key' ] = 'YOUR_PRIVATE_KEY'|g" /var/www/html/config/config.inc.php

⚠️ Replace YOUR_PUBLIC_KEY and YOUR_PRIVATE_KEY with the actual values you received from Google.

5. Verify the Updated reCAPTCHA Keys

Re-run the earlier check to confirm the keys are updated:

grep 'recaptcha' /var/www/html/config/config.inc.php
image

6. Access DVWA in Your Browser

  • Find the container port:

    docker port <container_id>
image

  • Open the browser and navigate to:

    http://localhost:<port>

7. Reset the Database

Click to Setup DVWA β†’ Create / Reset Database.

image

8. Login with Default Credentials - http://localhost:{PORT}/vulnerabilities/captcha/

Username: admin
Password: password

9. Confirm reCAPTCHA Appears

The login or reset DB page will now show the "I'm not a robot" reCAPTCHA checkbox, indicating successful integration.

image

10. Replace recaptchalib.php to Disable SSL (Development Use Only)

To bypass SSL verification errors during local testing, replace the default reCAPTCHA library file with a modified one that disables SSL checks.

11. Create the Replacement File on Desktop

Create a new file on your Desktop named recaptchalib.php and paste the following code:

<?php

// new php7 captcha v2 implementation with SSL verification disabled for local/test environments.

function recaptcha_check_answer($key, $response){
	return CheckCaptcha($key, $response);
}

function CheckCaptcha($key, $response) {

	try {
		$url = 'https://www.google.com/recaptcha/api/siteverify';
		$dat = array(
			'secret'   => $key,
			'response' => urlencode($response),
			'remoteip' => urlencode($_SERVER['REMOTE_ADDR'])
		);

		$opt = array(
			'http' => array(
				'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
				'method'  => 'POST',
				'content' => http_build_query($dat)
			),
			"ssl"=>array(
				"verify_peer"=>false,
				"verify_peer_name"=>false
			)
		);

		$context = stream_context_create($opt);
		$result  = file_get_contents($url, false, $context);

		return json_decode($result)->success;

	} catch (Exception $e) {
		return null;
	}

}

function recaptcha_get_html($pubKey){
	return "
		<script src='https://www.google.com/recaptcha/api.js'></script>
		<br /> <div class='g-recaptcha' data-theme='dark' data-sitekey='" . $pubKey . "'></div>
	";
}

?>

12. Copy the File into the Docker Container

Use the following command to copy it to the appropriate location inside your running DVWA container:

docker cp ~/Desktop/recaptchalib.php <container_id>:/var/www/html/external/recaptcha/recaptchalib.php

πŸ“ Replace <container_id> with your actual Docker container ID (e.g., 6b7b450b918e).

13. Restart the DVWA Docker Container

To apply the changes, restart the container:

docker restart <container_id>

This ensures Apache reloads the updated recaptchalib.php file with SSL verification disabled.

14. CAPTCHA Functionality

image

Article

πŸŽ₯ Watch Video Tutorial

For a full video walkthrough, check out this YouTube tutorial:
πŸ‘‰ https://www.youtube.com/watch?v=WkyDxNJkgQ4

βœ… Your DVWA now includes working reCAPTCHA validation to simulate modern security features. βœ… Your DVWA instance is now configured with reCAPTCHA and SSL-free validation for development and testing purposes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment