Learn how to install DVWA (Damn Vulnerable Web Application) on Rocky Linux 8 with our detailed guide. Perfect for practicing web security and vulnerability testing. #centlinux #linux #dvwa
Table of Contents
What is DVWA?
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students &teachers to learn about web application security in a controlled class room environment.
The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
Damn Vulnerable Web Application (DVWA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. (Source: https://github.com/digininja/DVWA)
Recommended Online Training: Complete Website Ethical Hacking and Penetration Testing
Recommended Book: SQL Injection Exploitation – DVWA (PAID LINK) by SHU DU (Author)
Environment Specification
We are using a minimal Rocky Linux 8 virtual machine with following specifications.
- CPU – 3.4 Ghz (2 cores)
- Memory – 2 GB
- Storage – 20 GB
- Operating System – Rocky Linux 8.6 (Green Obsidian)
- Hostname – dvwa-01.centlinux.com
- IP Address – 192.168.116.128 /24
Update Linux Software Packages
Connect with dvwa-01.centlinux.com as root user, by the help of a ssh client.
Execute following command at Linux bash to refresh yum cache.
# dnf makecache Rocky Linux 8 - AppStream 2.0 kB/s | 4.8 kB 00:02 Rocky Linux 8 - BaseOS 1.9 kB/s | 4.3 kB 00:02 Rocky Linux 8 - Extras 954 B/s | 3.5 kB 00:03 Metadata cache created.
Update your Linux software packages by executing following dnf command.
# dnf update -y
If the previous command updates your Linux Kernel, then you have to restart your Linux operating system before moving forward.
# reboot
After reboot, verify the Linux Operating System and Kernel versions as follows.
# cat /etc/rocky-release Rocky Linux release 8.6 (Green Obsidian) # uname -r 4.18.0-372.13.1.el8_6.x86_64
Install DVWA Prerequisites
DVWA – Damn Vulnerable Web Application is PHP based web application.
Therefore, you are required a LAMP Server or LEMP server to deploy it.
Here, we are installing a LAMP Stack Server. Alternatively, you can install a LEMP Stack server for DVWA web application.
Execute the following Linux command to install Apache web server, MariaDB database server, PHP and relevant modules on your DVWA server.
# dnf install git wget httpd php php-mysqlnd php-pdo php-cli php-gd mariadb-server -y
Edit PHP configuration file by using vim text editor.
# vi /etc/php.ini
Locate and set following PHP directives in this file.
display_errors = Off allow_url_fopen = On allow_url_include = On
Enable and start PHP, Apache and MariaDB services.
# systemctl enable --now php-fpm httpd mariadb Created symlink /etc/systemd/system/multi-user.target.wants/php-fpm.service → /usr/lib/systemd/system/php-fpm.service. Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service. Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service. Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service. Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service.
Configure MariaDB Server for DVWA Software
You need to configure initial settings of your MySQL database server as follows.
# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] Y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] Y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] Y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] Y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] Y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
Login to your MariaDB database server as root user.
# mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 16 Server version: 10.3.32-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MariaDB [(none)]>
Execute following set of SQL commands to create a database and user for DVWA web application.
MariaDB [(none)]> create database dvwa; Query OK, 1 row affected (0.001 sec) MariaDB [(none)]> grant all on dvwa.* to dvwauser@localhost identified by 'Str0ngP@ssw0rd'; Query OK, 0 rows affected (0.001 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.001 sec) MariaDB [(none)]> exit Bye
How to install DVWA on Rocky Linux 8
Process to install DVWA on Rocky Linux 8 is pretty straight forward.
DVWA is PHP based, so you can clone it’s Source from Git and place it into Apache Document Root for immediate deployment.
Execute git command to clone DVWA project into /var/www/html directory.
# git clone https://github.com/digininja/DVWA.git /var/www/html/ Cloning into '/var/www/html'... remote: Enumerating objects: 3926, done. remote: Counting objects: 100% (35/35), done. remote: Compressing objects: 100% (19/19), done. remote: Total 3926 (delta 15), reused 31 (delta 15), pack-reused 3891 Receiving objects: 100% (3926/3926), 1.74 MiB | 1.10 MiB/s, done. Resolving deltas: 100% (1833/1833), done.
Now create a copy of DVWA configuration file and edit it in vim text editor.
# cd /var/www/html/config/ # cp config.inc.php.dist config.inc.php # vi /var/www/html/config/config.inc.php
Locate and set following directives therein.
$DBMS = 'MySQL'; $_DVWA[ 'db_server' ] = '127.0.0.1'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'dvwauser'; $_DVWA[ 'db_password' ] = 'Str0ngP@ssw0rd'; $_DVWA[ 'db_port'] = '3306'; $_DVWA[ 'recaptcha_public_key' ] = '2RwaiQfbAAAAAEZlwAfH88bpdk1n06gf_Qb2Czgf'; $_DVWA[ 'recaptcha_private_key' ] = '2RwaiQfbAAAAAMVHAi4wFAIt9150QqbgbOkSBRY6';
You can generate ReCaptcha keys from Google ReCaptcha website.
Grant ownership of DVWA software files to apache user.
# chown -R apache:apache /var/www/html
Set following SELinux Boolean as required by Damn Vulnerable Web Application.
# setsebool -P httpd_unified 1 # setsebool -P httpd_can_network_connect 1 # setsebool -P httpd_can_network_connect_db 1
Configure Linux firewall and allow HTTP service.
# firewall-cmd --permanent --add-service=http success # firewall-cmd --reload success
Access DVWA Login Page
Open URL http://dvwa-01.centlinuxn.com in a web browser.
Login as MySQL root user.
If you have performed the previous steps accurately, then You don’t have to setup anything here.
Click on <Create / Reset Database> to create DVWA database objects.
You can use default username/password i.e. admin/password for DVWA Login.
After successful login, You will reach at the Dashboard of Damn Vulnerable Web Application.
Final Thoughts
After following our guide to install DVWA (Damn Vulnerable Web Application) on Rocky Linux 8, you’re all set to delve into web security and vulnerability testing. If you need further assistance or want to explore additional cybersecurity services, feel free to check out my Fiverr profile.