July 4, 2026
Analyzing DVWA Web Attacks Inside Wazuh SIEM
It covers simulating web application attacks against Damn Vulnerable Web Application (DVWA) and analyzing the resulting telemetry within…

By kanass
It covers simulating web application attacks against Damn Vulnerable Web Application (DVWA) and analyzing the resulting telemetry within the Wazuh SIEM platform.
- Walkthrough Video
- Environment Architecture Ubuntu Server running Apache hosting DVWA (Monitored by Wazuh Agent) / Web Server (sqlmap, custom XSS payloads) / Ubuntu Desktop — Wazuh Server
Phase 1: Web Application Attacks & Wazuh Analysis
I executed SQL Injection (SQLi) and Reflected Cross-Site Scripting (XSS) attacks against DVWA to verify how web server logs normalize and alert inside a SIEM.
- SQL Injection (SQLi) Attack Tool: sqlmap Target: DVWA SQLi Module Log Payload Sample:
/vulnerabilities/sqli/?id=%27%20UNION%20SELECT%20null,user() — %20&Submit=Submit
SIEM Detection: Triggered Wazuh Rule 31103. The rule successfully matched SQL injection regex signatures, flagging the single quote (%27) and the UNION SELECT statement string.
2. Reflected Cross-Site Scripting (XSS)
Attack Technique: Input field manipulation
Target: DVWA XSS (Reflected) Module
Log Payload Sample:
Plaintext
/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(document.cookie)%3C/script%3E
SIEM Detection: Wazuh parsed the raw Apache access logs, identifying the URL-encoded brackets (%3C for < and %3E for >) along with the <script> tags, raising a high-severity alert.
Thank you for reading/vulnerabilities/sqli/?id=%27%20UNION%20SELECT%20null,user() — %20&Submit=Submit
SIEM Detection: Triggered Wazuh Rule 31103. The rule successfully matched SQL injection regex signatures, flagging the single quote (%27) and the UNION SELECT statement string.
2. Reflected Cross-Site Scripting (XSS)
Attack Technique: Input field manipulation
Target: DVWA XSS (Reflected) Module
Log Payload Sample:
Plaintext
/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(document.cookie)%3C/script%3E
SIEM Detection: Wazuh parsed the raw Apache access logs, identifying the URL-encoded brackets (%3C for < and %3E for >) along with the <script> tags, raising a high-severity alert.
Thank you for reading