Installation Guide for DVWA on Linux

According to DVWA’s website, Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a classroom environment.

DVWA’s Installation Steps

  1. Open your terminal
  2. Change directory to /var/www/html: type cd /var/ www/html
  3. Download DVWA package: type wget https://github.com/ethicalhack3r/DVWA/arch ive/master.zip
  4. Extract the DVWA package: type unzip master.zip

    Screenshot for Step 1 until Step 4

  5. Verify if these files exist in /var/www/html: type ls 
  6. Move content from directory DVWA-Master to web root directory: type mv DVWA-master/* /var/www/html
  7. Changing owner directory /var/www/html: type chown -R www-data:www-data /var/www/html

    Screenshot for Step 5 until Step

  8. Start service web server (apache2) and database (mysql): type service apache2 start ; service mysql start
  9. Securing MySQL Installation: type mysql_secure_installaton
    P.s.: It is important that you do not leave root password MySQL blank!
  10. Open your IP’s Kali from your browser: type http://<your_IP_address>. If you do not know your IP address, type ifconfig. The highlighted number should be your IP address.

    This page will show up if Apache2 service is running on your PC. 🙂

  11. Open http://<your_ip_address>/login.php for logging in to DVWA. However, DVWA cannot be accessed immediately. We still need to configure several things.
    • DVWA system error – config file not found.
      To fix it, copy config/config.inc.php.dist to config/config.inc.php by typing cp config/config.inc.php.dist config/config.inc.phpAfter copying config file, the login page will redirect you to setup page and it will show red notice that needs to be fixed before we can log in to DVWA:
    • PHP function allow_url_include: Disabled
      From the picture in step A, DVWA says that we need to change the php.ini file that is located in:

      • /etc/php/7.0/cli
      • /etc/php/7.0/apache2
      • /var/www/html

      so type cd <direction_name> and nano php.ini to edit the php.ini file. Click ctrl+w (shortcut for search) and type allow_url_fopen. After that, set allow_url_fopen and allow_url_include to On just like the pictures are shown below. Finally, Click ctrl+X to exit then click enter to save.

  • PHP module gd: missing
    This problem is related to image processing. Install the PHP module gd: type apt-get install php7.0-gd -y. Then, restart apache2 service: type service apache2 restart.
    • reCAPTCHA key: Missing problem
      – Go to https://www.google.com/recaptcha/admin. If you haven’t logged in to your Google Account, the page will ask you to log in first. After that, just type your IP address in the Label Field and choose any type of reCAPTCHA you want to use. Tick the ‘Accept the reCAPTCHA Terms of Service’ box and Click Register.

      Site & Secret key will be generated after you click Register.

      Next, edit config.inc.php file in config folder. Go back to /var/www/html file first: type cd /var/www/html. Then, type cd config. Or you can directly type cd /var/www/html/config. To edit the config.inc.php file, type nano config.inc.php

      Copy your Site key to $_DVWA[ ‘recaptcha_public_key’ ] and your Secret key to $_DVWA[ ‘recaptcha_private_key’ ]. Change your db_user to anything but root (will be explained in the next step)

    • Root problem

      This message will show up if you click Create/Reset Database button and the db_user in the config.inc.php file is still root. (for MariaDB user only)

      Login to MariaDB: type mysql -u root -p. Enter your root password. Then write the following command:

      • create database dvwa;
      • grant all privileges on dvwa.* to <db_user>@localhost identified by ‘<db_password>’;
      • flush privileges;

12. After you have fixed all the problem above, Click Create/Reset Database. Then it will redirect to http://<your_ip_address>/login.php after you’ve fixed all the problems in Step 11. The default username is admin and the default password is password.

DVWA’s Login Page

DVWA’s Front Page ( after successfully login)