Share on Social Media

In this article, you will learn how to install DVWA on Linux 8 or other RPM based Linux distros. #centlinux #linux #dvwa

What is DVWA? :

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students &teachers to learn about web application security in a controlled class room environment.

The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

Damn Vulnerable Web Application (DVWA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. (Source: https://github.com/digininja/DVWA)

Recommended Online Training: Complete Website Ethical Hacking and Penetration Testing
Recommended Book: SQL Injection Exploitation – DVWA (PAID LINK) by SHU DU (Author)

Environment Specification:

We are using a minimal Rocky Linux 8 virtual machine with following specifications.

  • CPU – 3.4 Ghz (2 cores)
  • Memory – 2 GB
  • Storage – 20 GB
  • Operating System – Rocky Linux 8.6 (Green Obsidian)
  • Hostname – grafana-01.centlinux-com.preview-domain.com
  • IP Address – 192.168.116.128 /24

Update Linux Software Packages:

Connect with dvwa-01.centlinux-com.preview-domain.com as root user, by the help of a ssh client.

Execute following command at Linux bash to refresh yum cache.

# dnf makecache
Rocky Linux 8 - AppStream                       2.0 kB/s | 4.8 kB     00:02
Rocky Linux 8 - BaseOS                          1.9 kB/s | 4.3 kB     00:02
Rocky Linux 8 - Extras                          954  B/s | 3.5 kB     00:03
Metadata cache created.

Update your Linux software packages by executing following dnf command.

# dnf update -y

If the previous command updates your Linux Kernel, then you have to restart your Linux operating system before moving forward.

# reboot

After reboot, verify the Linux Operating System and Kernel versions as follows.

# cat /etc/rocky-release
Rocky Linux release 8.6 (Green Obsidian)

# uname -r
4.18.0-372.13.1.el8_6.x86_64

Install DVWA Prerequisites:

DVWA – Damn Vulnerable Web Application is PHP based web application.

Therefore, you are required a LAMP Server or LEMP server to deploy it.

Here, we are installing a LAMP Stack Server. Alternatively, you can install a LEMP Stack server for DVWA web application.

Execute the following Linux command to install Apache web server, MariaDB database server, PHP and relevant modules on your DVWA server.

# dnf install git wget httpd php php-mysqlnd php-pdo php-cli php-gd mariadb-server -y

Edit PHP configuration file by using vim text editor.

# vi /etc/php.ini

Locate and set following PHP directives in this file.

display_errors = Off
allow_url_fopen = On
allow_url_include = On

Enable and start PHP, Apache and MariaDB services.

# systemctl enable --now php-fpm httpd mariadb
Created symlink /etc/systemd/system/multi-user.target.wants/php-fpm.service → /usr/lib/systemd/system/php-fpm.service.
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service.

Configure MariaDB Server for DVWA Software:

You need to configure initial settings of your MySQL database server as follows.

# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Login to your MariaDB database server as root user.

# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 16
Server version: 10.3.32-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]>

Execute following set of SQL commands to create a database and user for DVWA web application.

MariaDB [(none)]> create database dvwa;
Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> grant all on dvwa.* to dvwauser@localhost identified by 'Str0ngP@ssw0rd';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> exit
Bye

Install DVWA on Linux:

Process to install DVWA on Linux is pretty straight forward.

DVWA is PHP based, so you can clone it’s Source from Git and place it into Apache Document Root for immediate deployment.

Execute git command to clone DVWA project into /var/www/html directory.

# git clone https://github.com/digininja/DVWA.git /var/www/html/
Cloning into '/var/www/html'...
remote: Enumerating objects: 3926, done.
remote: Counting objects: 100% (35/35), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 3926 (delta 15), reused 31 (delta 15), pack-reused 3891
Receiving objects: 100% (3926/3926), 1.74 MiB | 1.10 MiB/s, done.
Resolving deltas: 100% (1833/1833), done.

Now create a copy of DVWA configuration file and edit it in vim text editor.

# cd /var/www/html/config/
# cp config.inc.php.dist config.inc.php
# vi /var/www/html/config/config.inc.php

Locate and set following directives therein.

$DBMS = 'MySQL';

$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'dvwauser';
$_DVWA[ 'db_password' ] = 'Str0ngP@ssw0rd';
$_DVWA[ 'db_port'] = '3306';

$_DVWA[ 'recaptcha_public_key' ]  = '2RwaiQfbAAAAAEZlwAfH88bpdk1n06gf_Qb2Czgf';
$_DVWA[ 'recaptcha_private_key' ] = '2RwaiQfbAAAAAMVHAi4wFAIt9150QqbgbOkSBRY6';

You can generate ReCaptcha keys from Google ReCaptcha website.

Grant ownership of DVWA software files to apache user.

# chown -R apache:apache /var/www/html

Set following SELinux Boolean as required by Damn Vulnerable Web Application.

# setsebool -P httpd_unified 1
# setsebool -P httpd_can_network_connect 1
# setsebool -P httpd_can_network_connect_db 1

Configure Linux firewall and allow HTTP service.

# firewall-cmd --permanent --add-service=http
success
# firewall-cmd --reload
success

Access DVWA Web Application:

Open URL http://dvwa-01.centlinux-com.preview-domain.com in a web browser.

dvwa login as root user

Login as MySQL root user.

dvwa database setup

If you have performed the previous steps accurately, then You don’t have to setup anything here.

Click on <Create / Reset Database> to create DVWA database objects.

dvwa login as admin

You can use default username/password i.e. admin/password for DVWA Login.

dvwa dashboard

After successful login, You will reach at the Dashboard of Damn Vulnerable Web Application.

Conclusion – Install DVWA on Linux 8:

In this article, you have learned how to install DVWA on Linux 8 or other RPM based Linux distros.

Leave a Reply

Your email address will not be published. Required fields are marked *