DVWA (Damn Web Vulnerable application), the best choice for those who wanna learn and test most common vulnerabilities that can found on a website. It was named Damn Web as it contains the most damn web vulnerabilities. This DVWA application is used for security testing purposes. It has a built-in php-admin account to manage the application.
For security reasons, it is a concern for new buddies that where they should perform the web attacks. In such case, DVWA is the best choice. This application works under any Linux OS. But in order to make it work on Windows Cygwin Software will be used.
Tools and OS
- Kali Linux
- apache2 for server access
- Download the DVWA application
- Create DVWA Project
- Setting SQL server
- Some PHP changes
- Installation of php7.0-gd
- Starting server and ready to go
Install DVWA on your Kali Operating System
Step 1: –
Download DVWA application
Download DVWA from the official website http://www.dvwa.co.uk/. It is also available on GitHub. You can clone it using git command. For now, we presume that you already downloaded the application in the Downloads folder. It will be in your Downloads directory.
Step 2: –
Create DVWA Project
Now, extract the application in /var/www/html directory. Use unzip command to extract the folder. The command will extract all the DVWA files on DVWA-master folder under /var/www/html directory. Rename the folder from DVWA-master to dvwa using mv as we will use this name to access the files. So the name should be easy to remember. Type the following in the terminal:
The name of the folder will change. Change the permissions on a folder, so that it could work perfectly.
STEP 3: –
Setting SQL server
SQL stands for Structured Query Language and is used to store a vast amount of data securely. DVWA also uses SQL database for storage purposes. Setup MySQL database, so that SQL database has a way to remotely connect to the database and store the data. First launch SQL terminal, configure settings, and at last start and enable the MySQL service. Type following:
It is not compulsory that the Bold Words in the above commands must be same. You would choose them as required. The above all command will go like this.
Step 4: –
Some PHP changes
Now, we need to make some changes to dvwa php configuration file. Put the MySQL database information in the configuration file. Note that the information must be same as used in the previous step. Else the Application will not able to connect to your database or in other words, an application will not work. Add username, password and database name to the configuration file. Also, we need to add the google captcha to dvwa configuration. Go to https://www.google.com/recaptcha/intro/index.html and get a captcha. Now, open the configuration file with your notepad:
Edit the file as shown:
After editing the file rename, it to config.inc.php
STEP 5: –
Installation of php5-gd
php-gd will be required by DVWA to run perfectly. Run the following commands in the terminal to install php7.0-gd. php5-gd has been removed from the sources of kali. So we will be using version 7.0
After installation of a package, you have to edit the apache2 configuration file and change the value for allow_url_inlcude. This will allow exploiting the file uploading vulnerability on DVWA. Set the value of allow_url_inlcude to On. Open the file with your notepad:
STEP 6: –
Starting Server and Be ready to go
Now, the application files are already set up. Configuration is also done. Now, Start the Apache2 server.
This will start apache2 service. DVWA application will be available on localhost. Open your Browser and type in the Omni bar: 127.0.0.1/dvwa/setup.php . It will show you a box showing that if your application is successful. If everything goes Right and no error has occurred. Click on button Clear/Reset Database as shown in the below screenshot
Now, you will be redirected to login page. Enter the Default credentials which is “admin / password” and press Enter. Now the settings of the page will open. Select the suitable settings for you and start hacking the application.