- Install DVWA on Kali Linux (Step-by-Step)
- Pre-requisites to install DVWA
- Step 1: Download Damn Vulnerable Web Application (DVWA)
- Step 2: Configure DVWA
- Step 3: Install MySQL on Kali Linux
- Install Damn Vulnerable Web Application (DVWA) in Kali Linux
- DVWA at a Glance
- Install DVWA on Kali Linux
- Pre-requisite
- 1. Download the DVWA GitHub Project
- 2. DVWA Configuration File
- 3. Configuring the Database
- 4. Configure the Apache2 Web Server
- 5. Launch DVWA on the Browser
- Conclusion
Install DVWA on Kali Linux (Step-by-Step)
In this tutorial, I will give you a step-by-step guide on how to set up and install DVWA on your Kali Linux system.
When starting as a penetration tester, you will need a pentesting-lab to test out your penetration skills. One such system is the Damn Vulnerable Web Application (DVWA). DVWA is a vulnerable web application developed using PHP and MySQL that allows ethical hackers to test out their hacking skills and security tools.
It’s also an excellent guide for professional web developers with security in mind. They can use it to learn which features of a web application are easy to exploit. Some of the most common web vulnerabilities demonstrated by this application include Cross-Site Request Forgery (CSRF), File Inclusion, SQL injection, Bruteforce attacks, and much more.
Pre-requisites to install DVWA
This tutorial assumes that you already have a Kali Linux Server Up and Running.
Step 1: Download Damn Vulnerable Web Application (DVWA)
To get started, we will need to clone the DVWA GitHub into our /var/www/html directory. That is the location where Localhost files are stored in Linux systems. Launch the Terminal and change our directory to the /var/www/html directory with the command below.
Sample Output:
Once in this directory, we will clone the DVWA GitHub repository with the command below.
$ sudo git clone https://github.com/digininja/DVWA
Sample Output:
After cloning, we can rename the DVWA folder to dvwa . That is not mandatory, but it makes work easier when executing multiple commands.
Step 2: Configure DVWA
After downloading cloning DVWA in our /var/www/html directory, we still need to do some minor configurations. To get started, let’s set read, write, and execute permissions to the DVWA directory. Execute the command below.
Sample Output:
After successfully executing the command, we need to set up the user and password required to access the database. Change directory to point to the config directory with the command below.
When you run the ls command to view the files inside the directory, you will see the config.inc.php.dist file. That is the original file containing the default configurations. We won’t edit it. Instead, we will create a copy of this file called config.inc.php and the original config.inc.php.dist file will act as our backup in case things go wrong.
Execute the command below.
sudo cp config.inc.php.dist config.inc.php
Sample Output:
Run the command below to open the newly created file with nano editor and make the necessary changes, as shown in the image below. We will set db_user as user and db_password as pass. Feel free to use a different username or password.
Sample Output:
Save the file ( Ctrl + O , then Enter ) and Exit (Ctrl + X). That’s it! We are done configuring the DVWA Web application. Let’s move on and configure the database (MySQL).
Step 3: Install MySQL on Kali Linux
By default, MySQL comes pre-installed on Kali Linux. If that’s not the case for you or maybe you messed up with MySQL, we can go ahead and install it manually. If you have worked with Debian-based distributions, MySQL comes in two packages:
In our case, we will need to install the mysql-server. However, there is a catch. If you try using the command apt install mysql-server you will most likely get the error «Package mysql-server is not available, but is referred to by another package. E: Package ‘mysql-server’ has no installation candidate.» That’s because the package mysql-server is referred to default-mysql-server in Kali Linux and also in the latest release of Debian (Debian 10). Therefore, use the command below:
sudo apt install default-mysql-server
Install Damn Vulnerable Web Application (DVWA) in Kali Linux
If you are on a path of a bug bounty hunter or you want to learn about web application vulnerabilities, you really need a dummy website to practice. Never touch any vulnerability scanners until you know how to deal with the vulnerability found. It will be useless when you launched a scan to a website and found a potential SQL Injection vulnerability but you did know how to do the injection. The dummy website applications allows you to practice, test, and exploit the vulnerability within a safe environment.
We will learn the following topics in detail:
- Installing & Configuring DVWA in Kali Linux
- Apache 2 web server setup
- PHP configuration
- MySQL database setup
DVWA at a Glance
Damn Vulnerable Web Application (DVWA) is a web application that is built for a penetration tester to test and practice their offensive hacking skills in a controlled environment.
Install DVWA on Kali Linux
Installing DVWA on Kali is actually easy, actually, there are several methods available. First, the user has to download the project from the DVWA GitHub page and run a few configuration settings such as database, web server, and PHP. Second, the user could also get a prebuilt DVWA package when they are installing Metasploitable. Third, the Kali Linux repository also provides the package for DVWA, using the apt-install command. The last method is the easiest and effortless way to install DVWA on Kali Linux.
In this tutorial, we will learn how to build or install DVWA on Kali Linux manually. With the aim of learning how to make a website and know what technology is which is often used to build a website.
Pre-requisite
Before installing DVWA into our Kali Linux, make sure we have an updated repo list and installed all of the required packages with the following command:
sudo apt update
sudo apt install -y apache2 mariadb-server mariadb-client php php-mysqli php-gd libapache2-mod-php
1. Download the DVWA GitHub Project
First, we need to download or clone the DVWA GitHub project on our Kali Linux located in/var/www/html directory. Simply use the git clone command to do that but make sure to change the current directory into /var/www/html using the cd command.
Once you downloaded the project, let us take a look at what files are in it.
Then, set permission to read, write, and execute permissions to the DVWA directory.
This permission allows DVWA to store the PHPids logs and to store the uploaded file located in DVWA/hackable/uploads directory.
2. DVWA Configuration File
The default example of the configuration setting of DVWA is located under the /config directory. The filename is config.inc.php.dist. You could find the configuration such as DBMS, database credentials, default DVWA security settings, and many more. Let us take a look at the file below.
This file is an example file, the DVWA will not use it. Otherwise, we will copy this file and rename it (by removing the .dist at the end) to config.inc.php.
Now, open the copied file (config.inc.php) using any text editor and change the database default setting of username and password.
As an example, we will change the user to ‘user’ and the password to ‘passweed’.
Please take note of the value above. We need the value of db_server, db_database, db_user, and db_password for the next configuration below.
3. Configuring the Database
First, we need to fire up the MySQL service by using the following command:
Then, log in to MySQL using the root user, you will be asked for the root password:
Let us recap the database info value on the DVWA configuration setting (in step 2) that we are going to use in the table below.
From the information above, create a database user with the name ‘user’ and the password ‘passweed’ on our localhost server at ‘127.0.0.1’ using the following command:
If configured correctly, the happy output will be “Query OK”.
The last step is to grant the user privilege all over the ‘dvwa’ database. Run the command below. You need to supply the username, password, and server information again.
4. Configure the Apache2 Web Server
The apache2 installation file on your Kali Linux is stored in the /etc/php directory followed by the version of your PHP. In this tutorial, we are using the latest PHP version 8.1.
Now, we will make changes to a PHP function allow_url_include to be enabled. The configuration is stored in /apache2/php.ini file. Open the file using your favorite text editor. Here, I am using the nano text editor.
Scroll down to the Fopen wrappers section and ensure these two functions are enabled by setting the value to On, they are allow_url_fopen and allow_url_include.
Then, save the changes by pressing Ctrl + O and Enter. Exit the nano editor by pressing Ctrl + X. By allowing this function, DVWA allows us to do the XSS remote file inclusion (RFI) attack.
5. Launch DVWA on the Browser
Once everything is configured, restart the apache2 service and the MySQL service by running the following command:
Then, open a browser, and visit http://localhost/DVWA/ or http://127.0.0.1/DVWA/. You will see a DVWA welcome page as shown below.
The last configuration is needed, still. We have created database user credentials before but we did not create the database. To create one, go to the DVWA page and on the left panel click ‘Setup / Reset DB’.
You will see the ‘Database Setup’ page. Now, scroll all the way down to the bottom and find a button named ‘Create / Reset Database’.
The setup is done. Your DVWA is ready to be exploited. You can explore every available vulnerability page at DVWA such as Brute Force, Command Injection, CSRF attack, File Inclusion, File Upload, SQL injection, XSS attack, and many more as shown in the figure below.
Ensure to select the suitable security level before running the test. By default, the security level was set to impossible, which is another term for a secure page. Please start from the lowest level to master the fundamental concept.
Conclusion
Hacking is also a practical skill that requires experience and quantity in performing a penetration test. DVWA is useful for training or teaching others how to attack the vulnerabilities of a web application with no risk or with a controlled environment.