DVWA or Damn Vulnerable Web Application is a PHP/MySQL web application for web security enthusiast to test their skills and tools in a legal environment.

LAMP Server is required!

This tutorial assumes you understand what a LAMP server is. Download ```dvwa``` in /var/www/html:
wget https://github.com/ethicalhack3r/DVWA/archive/master.zip

Unzip the file, and rename it to dvwa. Change into /var/www/html/dvwa/config and rename the following file:

mv config.inc.php.dist config.inc.php

Restart the apache service and, run localhost/dvwa in your browser. The first time you access the DVWA, it will perform a ‘Database Check’ to verify if your PHP settings, the ‘dvwa’ MySQL database, file permissions, and the reCAPTCHA key (public and private) are configured correctly. The page will look like this(mine is already configured).

Setup Check

Operating system: *nix
Backend database: MySQL
PHP version: 7.2.15-0ubuntu0.18.04.2

Web Server SERVER_NAME: 192.168.100.8

PHP function display_errors: Disabled
PHP function safe_mode: Disabled
PHP function allow_url_include: Enabled
PHP function allow_url_fopen: Enabled
PHP function magic_quotes_gpc: Disabled
PHP module gd: Installed
PHP module mysql: Installed
PHP module pdo_mysql: Installed

MySQL username: dvwa
MySQL password: ******
MySQL database: dvwa
MySQL host: localhost

reCAPTCHA key: 6LdVBZsUAAAAAPLL9ApvT2VhJ6slKqTU2kDsas3J

[User: root] Writable folder /var/www/html/dvwa/hackable/uploads/: Yes
[User: root] Writable file /var/www/html/dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: Yes


[User: root] Writable folder /var/www/html/dvwa/config: Yes
Status in red, indicate there will be an issue when trying to complete some modules.

If you see disabled on either allow_url_fopen or allow_url_include, set the following in your php.ini file and restart Apache.
allow_url_fopen = On
allow_url_include = On
These are only required for the file inclusion labs so unless you want to play with those, you can ignore them.

So, everything that’s red, we have to change that to green. Let’s start with PHP. On my machine, allow_url_fopen was disabled, and the php-gd module was missing. The following commands fixed it:

for allow_url_fopen edit the /etc/php/7.2/apache2/php.ini file:

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
; http://php.net/allow-url-fopen
allow_url_fopen = On

in the same file, change allow_url_include to On:

; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
; http://php.net/allow-url-include
allow_url_include = On

To install the php-gd module, run(according to your version of php):

apt-get install php7.2-gd

For MySQL, login by executing mysql -u root -p, and verify if the dvwa database was created :

mysql> SHOW databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dvwa               |
| mutillidae         |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
6 rows in set (0.00 sec)

If there’s no line that says dvwa, run the following commands (or else skip this):

mysql> CREATE database dvwa;
mysql> flush privileges;
mysql> exit

Now, for the MySQL username and password, edit the /var/www/html/dvwa/config/config.inc.php, and replace the username and password(a strong password is not important).:

# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.
#   See README.md for more information on this.
$_DVWA = array();
$_DVWA[ 'db_server' ]   = 'localhost';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'dvwa';
$_DVWA[ 'db_password' ] = 'secretpassword';

For the reCAPTCHA key, from the same file as above, scroll down and look for those lines:

# ReCAPTCHA settings
#   Used for the 'Insecure CAPTCHA' module
#   You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ]  = '6LdVBZsUAAAAAPLL9ApvT2VhJ6slKqTU2kDsas3J';
$_DVWA[ 'recaptcha_private_key' ] = '6LdVBZsUAAAAAB3I9IQIav5UWv7XgLWM8-1H9Kgs';

Go to https://www.google.com/recaptcha/admin, register your own key, and paste them in the required field.

To modify the files permission modes and group owner, run the following commands:

cd ../
chgrp www-data hackable/uploads/
chmod g+w hackable/uploads/
chgrp www-data external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
chmod g+w external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
chgrp www-data config/
chmod g+w config/

Restart the apache and mysql service for the changes to take effect:

systemctl restart apache2 && systemctl restart mysql.service

Now, the last thing to do is to reload the localhost/dvwa page, and click on Create / Reset Database(you should see something like this):

Database has been created.
'users' table was created.
Data inserted into 'users' table.
'guestbook' table was created.
Data inserted into 'guestbook' table.
Backup file /config/config.inc.php.bak automatically created
Setup successful!

If you see this error => Could not connect to the MySQL service. Please check the config file., log into mysql and run the following commands:

CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'secretpassword';
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost';
FLUSH PRIVILEGES;

Login with the credentials (admin : password), and you’re good to go.


““When a blind man says, 'God is good,' this should be an eye-opener to those who can see.” ― Anthony Liccione