How to Install DVWA Into Your Linux Distribution

Aug 26, 2018 · 7 min read
Install DVWA in 5 Easy Steps

In this tutorial, I’ll demonstrate you to setup Damn Vulnerable Web Application (DVWA) along with Apache, MySQL, PHP on localhost. It’s always been a concern for newbies that where they should practice and explore the vulnerabilities. If you are one of those guys, DVWA would be for you to figure it out yourself. I will help you create a hacking environment into your Linux distro to practice and test your skills.

If you are a beginner in web security, you will richly benefit from this piece.

DVWA is made with PHP and MySQL for security professionals or aspiring security professionals to discover as many issues as possible and exploit some of the most commons vulnerabilities of web platforms like SQL injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and more.

Image Source:

Note: This guide is for beginners. If you’re unable to complete any of the steps or encounter any error message during the installation. I encourage you to use StackOverflow for an answer or leave a comment below.

Here’s how to install DVWA in 5 Easy Steps


Hypervisor: VirtualBox

Linux Distro: Kali Linux or elementaryOS ( or any Linux Distribution)

I always prefer using elementaryOS which is Lightweight Linux based distribution, but you can follow the same instructions for Kali Linux which is aimed at advanced Penetration Testing and Security Auditing. Remember, we need to use a virtual machine and not a connected server because DVWA is really vulnerable and should only be installed on your virtual machine with NAT.

  • To install Apache, Open your Terminal and type the following:

sudo apt install apache2

Once done, type in the browser and you will see the default Apache 2 web page, similar to this:

If you see this page, then congratulations — you have successfully installed Apache.

When you are done looking at this test page, you can remove it by typing the following command:

sudo rm /var/www/html/info.html

Step 2. Download DVWA

We need to download the archive of DVWA from Github.

  • To install Git, type following command:

sudo apt-get install git

  • Go to the apache2 folder.

cd /var/www/html/

  • Clone DVWA from Github, type the following command:

sudo git clone

Once done, type in the browser and you will see the DVWA page, similar to this:

Test DVWA Apache Page
  • Change permissions for DVWA

sudo chmod -R 777 /var/www/html/DVWA/

The next component for Setting up DVWA is Installing MySQL.

  • To install MySQL, type the following:

sudo apt install mysql-server

Note that the installation routine may ask you to create a new password for the root MySQL user. Once you have completed all of the required steps, your MySQL installation should be completed. Let’s double-check that our new MySQL server is running. Type this command:

mysql -u root -p

Enter the root password you created for MySQL when you installed the software package. Once in, the following to get the server status, version information and more:


This is a good way to ensure that you’ve installed MySQL and are ready for further configuration.

  • Restart Apache Server

sudo service apache2 restart

  • Create Database and User

To create a MySQL database and user, follow these steps:

At the command line, type the following:

mysql -u root -p

  • Type the MySQL root password, and then press Enter.
  • To create a database, type the following command:


  • To create a database user, type the following command. Replace dvwausr with the user you want to create, and replace dvwa@123 with the user’s password:

CREATE USER ‘dvwausr’@’' IDENTIFIED BY ‘dvwar@123’;

  • Grant permission, type the following command:

GRANT ALL PRIVILEGES ON dvwadb.* TO ‘dvwausr’@’localhost’ IDENTIFIED BY ‘dvwa@123’;

  • Once done, exit the application by typing either of the following commands:




For our last component in DVWA Installation, we will set up and install PHP. Installing this on your VM is quite easy.

  • To install PHP, simply type the following command:

sudo apt install php5


sudo apt install php5.6

Agree to the installation and PHP 5 will be installed on your Server.

  • Restart Apache Server

sudo service apache2 restart

Now, let’s take a moment to test the PHP software that you just installed. Move into your public web directory:

cd /var/www/html

Once there, use the text editor to create a file named info.php by typing the following command:

sudo vim info.php

This command will use the command line editor vim to open a new blank file with this name. Inside this file, type the following:

Inside this file, copy paste the following:

<?php phpinfo(); ?>

Save your changes by entering:


Once done, open your web browser and type your localhost IP address in the browser.

You will see the default PHP information page, similar to this:

When you are done looking at this test PHP page, you can remove this file if you want by typing the following command:

sudo rm /var/www/html/info.php

  • Install MySQL Extension for PHP.

To Install MySQL Extension for PHP Support, type the following:

sudo apt install php5-mysql

Once done, you have completed the PHP installation required for DVWA.

  • Install PHP-GD

DVWA requires a module for php which is not installed into Kali Linux or elementaryOS. So we need to add a Debian source for APT.

sudo add-apt-repository ‘ sid main’

sudo apt update

sudo apt install php5-gd

Once done, you have completed the PHP installation for DVWA.

Now we are ready to edit the source of php config files to make sure your web application connects to the database and has got a working captcha. You can obtain reCaptcha keys from your Google Account by clicking here.

We will use the text editor to edit the configuration typing the following command:

sudo vim /var/www/html/dvwa/config/

  • Add the database name, user, and password of the mysql database.
  • Enter reCaptcha keys.

Here’s a screenshot on how your file needs to be after editing.

Enter Database credentials and reCaptcha

Once done, we need to edit the main config (php.ini) file for apache2, which is not correctly overridden for DVWA by default.

sudo vim /etc/php5/apache2/php.ini

  • Enable Allow_url_fopen
  • Enable Allow_url_include

This is necessary to exploit the file upload vulnerability. Here’s a screenshot for php.ini after making changes.

Jump to line 821 in php.ini

After saving changes for php.ini, we need to follow a few more steps.

  • Install Iceweasel

sudo apt install iceweasel

  • Restart Apache

sudo /etc/init.d/apache2 restart

  • Restart MySQL Service

sudo /etc/init.d/mysql restart

Once done, you have completed the required configuration for DVWA.

  • Test DVWA Installation


You will be redirected to the web browser and the page similar to this will be in front of you.

DVWA Setup Check

When you are done looking at this DVWA Setup page, you can click on Create / Reset Database button. You will be redirected to the login page.

  • Use MySQL User and Password to Login
Insert the default credentials (admin/password) and log into the panel.

Now, login to change the strength of vulnerabilities by clicking on “DVWA Security”.

Low Level: Low-Level Security gives you the freedom to exploit all known vulnerabilities means there will be no security in a given framework and hence you can try all attacks if you are using it first Time.

Medium Level: Medium security will have all entry-level validations and filtration which can stop any script kiddie to get the benefit of available vulnerabilities.

High Level: High Level is kind of Zero Day environment and if you can breach it then that means you are on the right track to becoming a VAPT Expert.

Initially Start with low level and start to hacking!

So, we have set up a simple vulnerable web application on localhost. You can now Explore DVWA interface.

If you encounter any errors during the installation or have questions, let me know in the comments below.

Happy Hacking!

You may also be interested in checking List of Vulnerable Apps To (Legally) Practice Your Hacking Skills!

Originally published at on August 26, 2018.

Data Driven Investor

from confusion to clarity, not insanity


Written by


💻 // managed by @sakimjan

Data Driven Investor

from confusion to clarity, not insanity

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade