According to the official website:
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Official site : http://www.dvwa.co.uk/
Update CentOS 7
Before installing the necessary services for DVWA, you must update CentOS 7.
# yum update -y && reboot
In order to put the system vulnerable, SELinux must be disabled. You have two options
Option 1: Use vi and manually edit the file
# vi /etc/selinux/config
Change SELinux=enforcing to SELinux=disabled
Option 2: Use sed to make the change
# sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config
You must then restart the server
After the restart, we can validate the state of SELinux with the sestatus command
# [root@dvwa ~]# sestatus
SELinux status: disabled
In order to put the system vulnerable, it is also necessary to disable the firewall
# systemctl stop firewalld
# systemctl disable firewalld
The following command installs an apache server
# yum install httpd -y
# systemctl start httpd
# systemctl enable httpd
The following commands install a mariadb server and start the server
# yum install mariadb mariadb-server -y
# systemctl start mariadb
# systemctl enable mariadb
The following command will clean mariadb and put a password to the root account of the database.
The following command will clean mariadb and put a password to the root account of the database. The password for root must be p@ssw0rd
Install PHP, unzip and wget
The following command will install PHP modules to support DVWA
# yum install wget php php-mysql php-gd php-pear php-pear-DB unzip -y
You have to go to the folder /var/www/html and then download DVWA. The file is named master.zip
# cd /var/www/html
# wget https://github.com/ethicalhack3r/DVWA/archive/master.zip
Unzip the master.zip file
The command will unzip the file and create a folder named DVWA-master. Then you have to rename the folder.
# unzip master.zip && mv DVWA-master dvwa
Configure the config.inc.php file
The config.inc.php configuration file is a file needed to make the web page work. It is also in this file that you can change the password of the root account if you did not put the correct password when you started the command.
# cd /var/www/html/dvwa/config
# cp config.inc.php.dist config.inc.php
Changing permissions for DVWA
Apache server must have access to read and write folders
# chown -R apache:apache /var/www/html/dvwa/
DVWA needs the allow_url_fopen and allow_url_include options to be enabled in the php.ini file. Options are around line 811 and 815.
# vi /etc/php.ini
Highlighted options must be On. Make the changes if necessary.
; Whether to allow the treatment of URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-fopen allow_url_fopen = On
Whether to allow include/require to open URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-include allow_url_include = On
Rebooting the Apache server
# systemctl restart httpd
Configuration via the web page
To complete the configuration, you must access the server’s website. You must use the IP address of the server.
http://<IP ADDRESS >/dvwa/setup.php
Before you can create the database, you must make sure that the framed part is in green.
For the portion reCAPTCHA, it is necessary to generate a key with Google. This option will not be covered in this guide.
Click on Create / Reset Database
Configuration of the database
When you click Create / Reset Database, a script will create the database for the server exercises.
Once the initial configuration, wait a few seconds and you will be automatically redirected to the home page.
You can use this button to reset at any time
Login to the DVWA
You can login to the site with the username: admin account and the password: password
DVWA main page
The main page gives you access to configurations and challenges
1. resets the database
2. The various security challenges
3. Setting the security level
4. Current security level
Difficulty level for challenges
Before making a challenge, it is necessary to adjust the security level of the DVWA. There are four levels of difficulty.