Setup DVWA to Practice Application Security Pentesting

DVWA is a purposefully built “vulnerable” web application designed to teach Application Security pentesting.

This guide will show you how to install and configure DVWA.

LAMP Stack Base Setup

If you haven’t already done so, setup a LAMP stack

You will need to remove the default index.html page. Login via SSH and run the following command:

Setup DVWA Database

The DVWA needs a database. To create one, login to mysql and add a user called dvwa. You’ll need your password when you edit config files, so save it.

Download DVWA

The project is hosted on GIT and is downloaded with your favorite git client (command line example to download into the /tmp/DVWA location):

Install DVWA

Simply copy the files to the proper location on your web server. If you used the LAMP stack setup guide above for Ubuntu 18.04 LTS, that would be:

Create Config File

The configuration file for your DVWA install needs to be

Update Config File

Next you’ll need to update the config settings file so it knows how to connect to the database you just created.

Read through the config file for the other options you can change, such as testing captchas.

Make PHP More Vulnerable

DVWA demonstrates vulnerabilities in PHP (among other things). In order to go through these tutorials on PHP vulnerabilities, you will need to make sure the PHP portion of your LAMP server is insecure.

Make the following changes:

Create Insecure File Permissions

DVA Needs access to the following locations to demonstrate the file permissions flaws:

  • /var/www/html/hackable/uploads/
  • /var/www/html/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt

To set these up with permissive file permissions that the web server can manipulate, you change ownership using the chown command:

Test Your Setup

Visit the IP of your server in a browser to see what else you need to setup:
DVWA Setup

Create DB using DVWA Setup

If everything looks good, go ahead and create your database:
dbva create database

Login with admin/password

The default user/pass is admin/password.
dvwa admin password

Begin Using DVWA

Read the instructions and tutorials and go through the OWASP top 10 list provided by this awesome DVWA tutorial.
dvwa welcome screen

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.