How to Install Damn Vulnerable Web Application on Rocky Linux 8

Damn Vulnerable Web Application (DVWA) is a PHP and MySQL web application, a free and open-source vulnerable web application. Its main goal is to aid security professionals in testing their skills and tools with various difficulty levels to help web developers better understand the processes of securing web applications.


Do not upload it to your hosting provider’s public html folder or any Internet-facing servers, as they will be compromised. Using a virtual machine (such as VirtualBox or VMware) is recommended, set to NAT networking mode.


  • Recommended OS: Rocky Linux 8.+.
  • User account: A user account with sudo or root access.
  • Required packages: git

Update Operating System

Update your Rocky Linux operating system to make sure all existing packages are up to date:

sudo dnf upgrade --refresh -y

The tutorial will be using the sudo command and assuming you have sudo status.

To verify sudo status on your account:

sudo whoami

Example output showing sudo status:

[joshua@rockylinux ~]$ sudo whoami

To set up an existing or new sudo account, visit our tutorial on How to Add a User to Sudoers on Rocky Linux.

To use the root account, use the following command with the root password to log in.


Install Git Package

In the tutorial, you will need Git installed using the following command:

sudo dnf install git -y

Installing Apache, MariaDB and PHP for DVWA

DVWA is PHP and MySQL-based application. For this, you will need to install Apache web server, MariaDB, PHP, and some other required packages. To do this, use the following terminal command:

sudo dnf install httpd mariadb-server php php-pdo php-mysqlnd php-cli php-gd git -y

Now you will need to edit the PHP configuration file (php.ini).

First, open up the configuration file using nano:

sudo nano /etc/php.ini

Next, locate the following lines using (CTRL+W) to search to the below:

allow_url_fopen = On
allow_url_include = On
display_errors = Off

Save the configuration file (CTRL+O), then exit (CTRL+X).

Restart Apache and MariaDB services using the below commands that will also enable the services on boot:


sudo systemctl enable httpd --now


sudo systemctl enabloe mariadb --now

Once enabled, verify both services are working with the following commands:


sudo systemctl status httpd


sudo systemctl status mariadb

If all services are running with status ok and green, you can proceed to the next part of the tutorial.

Configuring MariaDB for DVWA

Now, you need to create a user and database to use DVWA.

First, connect to your MariaDB service with the following command:

sudo mysql -u root

Once you are connected, create a database and user with the following command:

create database dvwadb;
grant all on dvwa.* to dvwauser@localhost identified by 'password';

To finish off configuring MariaDB, flush the privileges and exit using the following command:

flush privileges;

Install DVWA

To download DVWA, you will use Git to clone the official repository from the project’s Github.

Clone the repository using the following command:

sudo git clone /var/www/html/

When you have finished cloning DVWA using Git, change to the directory and copy the configuration sample:

cd /var/www/html/config/
sudo cp

The next step is to edit the config file with the following command:

sudo nano /var/www/html/config/

You will now edit the configuration file to suit your database details and generate a reCAPTCHA key:

_DVWA[ 'db_server' ]   = '';
_DVWA[ 'db_database' ] = 'dvwadb';
_DVWA[ 'db_user' ]     = 'dvwauser';
_DVWA[ 'db_password' ] = 'password'; 

# Note, you will need to generate your own keys at:

_DVWA[ 'recaptcha_public_key' ]  = 'generated key';
_DVWA[ 'recaptcha_private_key' ] = 'generated key';

To save the file (CTRL+O), then exit (CTRL+X).

Note: Do not forget to generate the reCAPTCHA values in the configuration file using the Google service. 

The next part is to set the owner permission to the Apache root directory.

Set the owner permission using the following terminal command:

sudo chown -R apache:apache /var/www/html

To reflect the changes, restart the Apache and MariaDB service to apply the changes:

sudo systemctl restart httpd mariadb

Configure SELinux and Firewall

SELinux is automatically configured and enabled on Rocky Linux 8. Naturally, given SELinux is supposed to protect against threats, you will need to configure the security software to access the DVWA.

To do this, run the following command to configure to SELinux:

sudo setsebool -P httpd_unified 1
sudo setsebool -P httpd_can_network_connect 1
sudo setsebool -P httpd_can_network_connect_db 1

Now you will need to configure the firewall to allow access to port 80 with the following:

sudo firewall-cmd --permanent --zone public --add-port 80/tcp

To reflect the changes you will need to restart the firewall, use the following command:

sudo firewall-cmd --reload

Accessing and Using DVWA Web UI

The next part is accessing the DWVA web interface using your server IP address. For example, the tutorial uses HTTP:// as it is set up in an isolated Virtual Machine. Once you have entered the address, you will be forwarded to the following page:

How to Install Damn Vulnerable Web Application on Rock Linux 8

At the bottom of the page, click on the Create / Reset Database. This will create all the necessary configuration set up in your database and will then lead you to the following login page as below:

How to Install Damn Vulnerable Web Application on Rock Linux 8

Note, the default username is (admin), and the default password is (password).

Enter the details and click on the Login button to proceed. You will now come to the main screen as below:

How to Install Damn Vulnerable Web Application on Rock Linux 8

Congregations, you have installed Damn Vulnerable Web Application (DVWA) successfully.

Comments and Conclusion

In the tutorial, you have learned to install Rocky Linux 8 DVWA which you can now use to test your web applications or your security knowledge or increase your overall skill set. A word of warning as per the start of the guide, you must not use this in a production server as it will be compromised as per the nature of this software.

Further information can be found on the projects Github page.


Like to get automatic updates? Follow us on one of our social media accounts!