{"target":{"id":"dvwa","name":"Damn Vulnerable Web App (DVWA)","category":"Web App Pentest","difficulty":"Beginner","vulns_known":15,"legal_notice":"Open-source PHP/MySQL app by RandomStorm. Public on GitHub. Designed for security training.","docker":"vulnerables/web-dvwa","url_demo":"http://localhost:8081","kills":["Command injection via 'ip' parameter (low/med/high)","Stored XSS in 'guestbook' name field","SQLi in 'user_id' (low → medium → high → impossible)","File inclusion: local + remote via 'page' parameter","Brute-force login with Hydra (anti-CSRF bypass)"]},"script":[{"ts":"00:00–00:05","shot":"Tarun logo slam, glitch transition, synth bass drop","voice":"target locked: Damn Vulnerable Web App (DVWA).","screen":"Black → target logo → terminal opens"},{"ts":"00:05–00:15","shot":"Typing sequence: subfinder + httpx + nuclei","voice":"passive recon. mapped 15 live assets. one stands out.","screen":"Live terminal output streaming"},{"ts":"00:15–00:30","shot":"Vuln hypothesis + manual probe","voice":"this looks like a web app pentest playground. testing the obvious.","screen":"Curl → response with injection sink highlighted"},{"ts":"00:30–00:55","shot":"Exploit chain: finding → POC → proof","voice":"and we have a beginner-difficulty kill. root in 60 seconds.","screen":"shell pop. whoami. cat /etc/passwd. screenshot."},{"ts":"00:55–01:25","shot":"Tarun commentary + 'why this matters' overlay","voice":"the same bug class lives in production. here's what defenders miss.","screen":"Side-by-side: vulnerable training app vs real-world CVE"},{"ts":"01:25–01:30","shot":"Logo card, subscribe, 'next target: ___'","voice":"next target, in 24 hours. follow the build.","screen":"Tarun logo + social links + countdown to next show"}],"runtime_seconds":90,"render_assets":{"voice_needed":true,"music_track":"synthwave_90s.mp3 (royalty-free)","captions":"auto-generated, English, branded"}}