Damn Vulnerable Web Application (DVWA) is a PHP and MySQL web application, a free and open-source vulnerable web application. Its main goal is to aid security professionals in testing their skills and tools with various difficulty levels to help web developers better understand the processes of securing web applications.
Table of Contents
WARNING! WARNING! WARNING! WARNING!
Do not upload it to your hosting provider’s public html folder or any Internet-facing servers, as they will be compromised. Using a virtual machine (such as VirtualBox or VMware) is recommended, set to NAT networking mode.
- Recommended OS: Rocky Linux 8.+.
- User account: A user account with sudo or root access.
- Required packages: git
Update Operating System
Update your Rocky Linux operating system to make sure all existing packages are up to date:
sudo dnf upgrade --refresh -y
The tutorial will be using the sudo command and assuming you have sudo status.
To verify sudo status on your account:
Example output showing sudo status:
[joshua@rockylinux ~]$ sudo whoami root
To set up an existing or new sudo account, visit our tutorial on How to Add a User to Sudoers on Rocky Linux.
To use the root account, use the following command with the root password to log in.
Install Git Package
In the tutorial, you will need Git installed using the following command:
sudo dnf install git -y
Installing Apache, MariaDB and PHP for DVWA
DVWA is PHP and MySQL-based application. For this, you will need to install Apache web server, MariaDB, PHP, and some other required packages. To do this, use the following terminal command:
sudo dnf install httpd mariadb-server php php-pdo php-mysqlnd php-cli php-gd git -y
Now you will need to edit the PHP configuration file (php.ini).
First, open up the configuration file using nano:
sudo nano /etc/php.ini
Next, locate the following lines using (CTRL+W) to search to the below:
allow_url_fopen = On allow_url_include = On display_errors = Off
Save the configuration file (CTRL+O), then exit (CTRL+X).
Restart Apache and MariaDB services using the below commands that will also enable the services on boot:
sudo systemctl enable httpd --now
sudo systemctl enabloe mariadb --now
Once enabled, verify both services are working with the following commands:
sudo systemctl status httpd
sudo systemctl status mariadb
If all services are running with status ok and green, you can proceed to the next part of the tutorial.
Configuring MariaDB for DVWA
Now, you need to create a user and database to use DVWA.
First, connect to your MariaDB service with the following command:
sudo mysql -u root
Once you are connected, create a database and user with the following command:
create database dvwadb; grant all on dvwa.* to dvwauser@localhost identified by 'password';
To finish off configuring MariaDB, flush the privileges and exit using the following command:
flush privileges; exit;
To download DVWA, you will use Git to clone the official repository from the project’s Github.
Clone the repository using the following command:
sudo git clone https://github.com/ethicalhack3r/DVWA /var/www/html/
When you have finished cloning DVWA using Git, change to the directory and copy the configuration sample:
cd /var/www/html/config/ sudo cp config.inc.php.dist config.inc.php
The next step is to edit the config file with the following command:
sudo nano /var/www/html/config/config.inc.php
You will now edit the configuration file to suit your database details and generate a reCAPTCHA key:
_DVWA[ 'db_server' ] = '127.0.0.1'; _DVWA[ 'db_database' ] = 'dvwadb'; _DVWA[ 'db_user' ] = 'dvwauser'; _DVWA[ 'db_password' ] = 'password'; # Note, you will need to generate your own keys at: https://www.google.com/recaptcha/admin _DVWA[ 'recaptcha_public_key' ] = 'generated key'; _DVWA[ 'recaptcha_private_key' ] = 'generated key';
To save the file (CTRL+O), then exit (CTRL+X).
Note: Do not forget to generate the reCAPTCHA values in the configuration file using the Google service.
The next part is to set the owner permission to the Apache root directory.
Set the owner permission using the following terminal command:
sudo chown -R apache:apache /var/www/html
To reflect the changes, restart the Apache and MariaDB service to apply the changes:
sudo systemctl restart httpd mariadb
Configure SELinux and Firewall
SELinux is automatically configured and enabled on Rocky Linux 8. Naturally, given SELinux is supposed to protect against threats, you will need to configure the security software to access the DVWA.
To do this, run the following command to configure to SELinux:
sudo setsebool -P httpd_unified 1 sudo setsebool -P httpd_can_network_connect 1 sudo setsebool -P httpd_can_network_connect_db 1
Now you will need to configure the firewall to allow access to port 80 with the following:
sudo firewall-cmd --permanent --zone public --add-port 80/tcp
To reflect the changes you will need to restart the firewall, use the following command:
sudo firewall-cmd --reload
Accessing and Using DVWA Web UI
The next part is accessing the DWVA web interface using your server IP address. For example, the tutorial uses HTTP://127.0.0.1/setup.php as it is set up in an isolated Virtual Machine. Once you have entered the address, you will be forwarded to the following page:
At the bottom of the page, click on the Create / Reset Database. This will create all the necessary configuration set up in your database and will then lead you to the following login page as below:
Note, the default username is (admin), and the default password is (password).
Enter the details and click on the Login button to proceed. You will now come to the main screen as below:
Congregations, you have installed Damn Vulnerable Web Application (DVWA) successfully.
Comments and Conclusion
In the tutorial, you have learned to install Rocky Linux 8 DVWA which you can now use to test your web applications or your security knowledge or increase your overall skill set. A word of warning as per the start of the guide, you must not use this in a production server as it will be compromised as per the nature of this software.
Further information can be found on the projects Github page.