Tuesday, March 05, 2019

HOWTO : Install DVWA on Ubuntu 18.04.1 LTS

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Step 1 :

sudo apt install php7.2 php7.2-gd php-mysql mysql-server apache2 git

Set the MySQL server password as prompt.

Step 2 :

sudo mysql -u root -p


GRANT ALL PRIVILEGES ON dvwadb.* TO ‘dvwa’@’localhost’ IDENTIFIED BY ‘dvwapassword’;

Step 3 :

sudo nano /etc/php/7.2/apache2/php.ini

Change the "Off" to "On" :

allow_url_include = On

Step 4 :

cd /var/www/html

sudo git clone https://github.com/ethicalhack3r/DVWA.git

cd /var/www/html/DVWA

sudo chmod 777 /var/www/html/DVWA/config
sudo chmod 666 /var/www/html/DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
sudo chmod 777 /var/www/html/DVWA/hackable/uploads/

Step 5 :

sudo nano /etc/apache2/sites-enabled/000-default.conf

Append "/DVWA" as the end of "/var/www/html" :

DocumentRoot /var/www/html/DVWA

Step 6 :

sudo cp /var/www/html/DVWA/config/config.inc.php.dist /var/www/html/DVWA/config/config.inc.php

sudo nano /var/www/html/DVWA/config/config.inc.php

Make changes as the following :

$_DVWA[ 'db_server' ] = '';
$_DVWA[ 'db_database' ] = 'dvwadb';
$_DVWA[ 'db_user' ] = 'dvwa';
$_DVWA[ 'db_password' ] = 'dvwapassword';

Step 7 :

Go to https://www.google.com/recaptcha/admin to generate the keys for 'Insecure CAPTCHA' module and add to the related items at "config.inc.php".

Step 8 :

sudo systemctl restart apache2

Step 9 :


The username is "admin" while the password is "password".

Beware that the DVWA is vulnerable and do not allow it to be accessed via public.

Step 10 (Optional) :

sudo apt install php7.2-fpm

sudo a2enmod proxy_fcgi setenvif
sudo a2enconf php7.2-fpm

That's all! See you.