DVWA stands for Damn Vulnerable Web Application. It is a web application intentionally designed with vulnerabilities to help security professionals and enthusiasts practice and improve their web application security skills. DVWA is used as a training tool to learn about common web vulnerabilities such as cross-site scripting (XSS), SQL injection, command injection, file inclusion, and more. It provides a safe environment for users to exploit and understand the consequences of these vulnerabilities, allowing them to develop strategies to prevent such attacks in real-world scenarios.
INSTALLATION OF DVWA:
Setting up Vulnerable server DVWA in our kali Linux machine.
First we switch the user to the root user for root privileges using following command:
sudo su
In Linux localhost files are stored in /var/www/html directory, so we change the directory to that directory in terminal using following command:
cd /var/www/html
Here we clone DVWA from the Github repository using following command:
git clone https://github.com/digininja/DVWA.git
After the cloning, we rename the DVWA to dvwa (it is not necessary but it will save our effort)
mv DVWA dvwa
Change the permissions on dvwa directory using following command:
chmod -R 777 dvwa
Now we have to setup this web application to run properly for that we have to go config directory using following command:
Above we seen the config.inc.php.dist file. This file contains default configuration. We need to make a copy of this file with .php extension name, we are copying this file because in future if anything goes wrong then we have the default values. So we copy this file with .php extension name using following command:
Now edit this config.php file using following command:
We will make changes in this part the 'dvwa' to 'user' and 'p@ssw0rd' to 'pass'. See the screenshot below:
The we save and exit by press the ctrl+O, then enter and next ctrl+X.
Update the server first using this command:
As a recommended practice, we will add the official MariaDB apt repository using the following script.
Here we opening a new terminal window closing the previous one. If we don.t have a mariadb-server in the Linux machine just installing it using the upcoming commands:
apt-get install mariadb-server mariadb-client -y
After the installation we should start the mysql using following command:
service mysql restart
Now we Secure MariaDB using following command:
mysql_secure_installation
You will be prompted with six questions. Choose options as shown below.
Enter current password for root (enter for none): Press enter as there is no password by default.
Set root password? [Y/n]: Select Y and enter a new password.
Remove anonymous users? [Y/n]: Select Y
Disallow root login remotely? [Y/n]: Enter Y
Remove the test database and access to it? [Y/n]: Enter Y
Reload privilege tables now? [Y/n]: Enter Y
Execute the following command to connect to MariaDB. When prompted, enter the root password you setup in the previous setup.
Now we are going to configure the database, we start with creating a new user called 'user' running server on 127.0.0.1(localhost) and the password is 'pass'. Remember that this username and password should exactly same as the password and username we have entered in the configuration file of dvwa web application.
CREATE DATABASE dvwadb;
USE dvwadb;
CREATE USER 'user'@'127.0.0.1' IDENTIFIED BY 'pass';
In the above screenshot we can see the query is ok. That means the user is created. then we grant this user all the privileges over the database by using following command:
GRANT ALL PRIVILEGES ON dvwa.* TO 'user'@'127.0.0.1' IDENTIFIED BY 'pass';
we have finished the work of database, now we configure the server.
INSTALL PHP :
PHP comes installed in kali Linux. If you want to install a particular version, you can do it manually from the terminal. Follow the steps below.
First, update your system and add the SURY PHP PPA repository by executing the commands below.
sudo apt -y install lsb-release apt-transport-https ca-certificates
sudo wget -o /etc/apt/trusted.gpg.d/php.gps https://packages.sury.org/php/apt.gpg
After successfully adding the repository. use the command below to install PHP versions you want.
For this we need to configure our apache2 server. Let's change our directory to /etc/php/8.2/apache2
Here we configure the php.ini file.
We need to change the allow_url_fopen and allow_url_include values. We set both of them 'On'. In some cases when we are first time configuring it, we might that one of this or both of this configuration is set 'Off'. We have turned both of these configurations to 'On', as the following screenshots:
After the both values are change 'Off' to 'On'.
Then we save and exit the file(Already I mentioned in above configuration method). Then we start the apache2 server using following command:
service apache2 start
Now we check the active running status of mysql and apache2 server using following commands:
If the server is on stop stage just start the service using following commands:
service mysql restart
service apache2 start
TO LAUNCH DVWA :
Let's open the browser and navigate to 127.0.0.1/dvwa/ first open will open the setup.php as shown in the screen shot.
Here we click on "Create/Reset Database", Then it will create and configure the database and we redirected to DVWA login page.
The default login credential are mentioned below
Username : admin
Password : password
After login we are in Damn Vulnerable Web Application main page. Here is some general information and warnings.
On the left side we can see lots vulnerable pages are available we can practice here. DVWA have different security levels to change those we navigate to DVWA security. There are some security levels low, medium, high, impossible. We can choose difficulty as we need. Now we can run penetration testing tools and techniques in our localhost.
"If you have any query or problem in the installation process just comment below".
Reference: https://github.com/digininja/DVWA