Introduction

According to the official website:

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Official site : http://www.dvwa.co.uk/

Github : https://github.com/ethicalhack3r/DVWA

Pre-configuration :

Update CentOS 7

Before installing the necessary services for DVWA, you must update CentOS 7.

# yum update -y && reboot

Disable SELinux

In order to put the system vulnerable, SELinux must be disabled. You have two options

Option 1: Use vi and manually edit the file

# vi /etc/selinux/config

Change SELinux=enforcing to SELinux=disabled

Option 2: Use sed to make the change

# sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

You must then restart the server

# reboot

After the restart, we can validate the state of SELinux with the sestatus command

# [root@dvwa ~]# sestatus

SELinux status: disabled

Disable Firewall

In order to put the system vulnerable, it is also necessary to disable the firewall

# systemctl stop firewalld

# systemctl disable firewalld

Install Apache

The following command installs an apache server

# yum install httpd -y

# systemctl start httpd

# systemctl enable httpd

Install mariadb

The following commands install a mariadb server and start the server

# yum install mariadb mariadb-server -y

# systemctl start mariadb

# systemctl enable mariadb

mysql_secure_installation

The following command will clean mariadb and put a password to the root account of the database.

# mysql_secure_installation

clean mariadb

The following command will clean mariadb and put a password to the root account of the database. The password for root must be p@ssw0rd

Install PHP, unzip and wget

The following command will install PHP modules to support DVWA

# yum install wget php php-mysql php-gd php-pear php-pear-DB unzip -y

Install DVWA

Download DVWA

You have to go to the folder /var/www/html and then download DVWA. The file is named master.zip

# cd /var/www/html

# wget https://github.com/ethicalhack3r/DVWA/archive/master.zip

Unzip the master.zip file

The command will unzip the file and create a folder named DVWA-master. Then you have to rename the folder.

# unzip master.zip && mv DVWA-master dvwa

Configure the config.inc.php file

The config.inc.php configuration file is a file needed to make the web page work. It is also in this file that you can change the password of the root account if you did not put the correct password when you started the command.

# cd /var/www/html/dvwa/config

# cp config.inc.php.dist config.inc.php

Changing permissions for DVWA

Apache server must have access to read and write folders

# chown -R apache:apache /var/www/html/dvwa/

Change php.ini

DVWA needs the allow_url_fopen and allow_url_include options to be enabled in the php.ini file. Options are around line 811 and 815.

# vi /etc/php.ini

Highlighted options must be On. Make the changes if necessary.

; Whether to allow the treatment of URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-fopen allow_url_fopen = On

Whether to allow include/require to open URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-include allow_url_include = On

Rebooting the Apache server

# systemctl restart httpd

Configuration via the web page

To complete the configuration, you must access the server’s website. You must use the IP address of the server.

http://<IP ADDRESS >/dvwa/setup.php

PHP configuration

Before you can create the database, you must make sure that the framed part is in green.

For the portion reCAPTCHA, it is necessary to generate a key with Google. This option will not be covered in this guide.

Click on Create / Reset Database

Configuration of the database

When you click Create / Reset Database, a script will create the database for the server exercises.

Once the initial configuration, wait a few seconds and you will be automatically redirected to the home page.

You can use this button to reset at any time

Login to the DVWA

You can login to the site with the username: admin account and the password: password

DVWA main page

The main page gives you access to configurations and challenges

1. resets the database

2. The various security challenges

3. Setting the security level

4. Current security level

Difficulty level for challenges

Before making a challenge, it is necessary to adjust the security level of the DVWA. There are four levels of difficulty.

LEAVE A REPLY

Please enter your comment!
Please enter your name here