Setting up DVWA

DVWA ( http://www.dvwa.co.uk/ ) is a very useful tool for learning about web-based security. This is not just useful for hackers, but also for security engineers to learn the tools and processes used by hackers to attack production systems. This post hopefully covers everything necessary to setup DVWA in a virtual machine.

Configuration

• DVWA: Version 1.10 *Development*
• OS: Ubuntu 19.10 desktop
• Database: MariaDB

Once the OS is installed and setup, the first step is to install and enable the LAMP stack

apt-get -y install apache2 mariadb-server mariadb-client php php-mysqli php-gd libapache2-mod-php
systemctl enable apache2
systemctl enable mariadb
systemctl start apache2
systemctl start mariadb

Once the LAMP stack is installed, we can download DVWA to the web server

cd /var/www
wget https://github.com/ethicalhack3r/DVWA/archive/master.zip
unzip master.zip 
mv html html_old
mv DVWA-master html

Next, we configure DVWA with login credentials for the database (look for the username/password lines)

cp config/config.ini.php.default config/config.ini.php
nano config/config.ini.php

Once DVWA is configured, we setup our database and user

mysql -u root
create database dvwa;
grant all on dvwa.* to dvwa@localhost identified by 'p@ssw0rd';
flush privileges;
exit

At this point, open a browser and log into DVWA and review the settings – the goal is to have no RED text

Fix url_include

nano /etc/php/7.3/apache2/php.ini

Fix directory permissions

chmod a+w hackable/uploads
chmod a+w external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
chmod a+w config