How to Install Damn Vulnerable Web Application on CentOS 8
DVWA also called "Damn Vulnerable Web App" is a free and open-source vulnerable web application. It is designed for security professionals to test their skills and understand web application security processes. It provides a platform to experiment with new penetration testing tools and practice new exploitation techniques to exploit common vulnerabilities.
In this post, we will show you how to install a Damn Vulnerable Web App on CentOS 8 server.
Prerequisites
- A server running CentOS 8.
- A root password is configured on the server.
Install Apache, MariaDB and PHP
DVWA is PHP and MySQL-based application. So you will need to install Apache web server, MariaDB, PHP, and other required extensions to your server. You can install all of them with the following command:
dnf install httpd mariadb-server php php-pdo php-mysqlnd php-cli php-gd git -y
Once all the necessary packages are installed, edit the php.ini file with the following command:
nano /etc/php.ini
Change the following lines:
allow_url_fopen = On allow_url_include = On display_errors = Off
Save and close the file when you are finished then start the Apache and MariaDB service, and enable them to start at system reboot:
systemctl start httpd
systemctl enable httpd
systemctl start mariadb
systemctl enable mariadb
Once you are finished, you can proceed to the next step.
Configure MariaDB
Next, you will need to create a database and user for DVWA. First, connect to the MariaDB with the following command:
mysql
Once you are connected, create a database and user with the following command:
MariaDB [(none)]> create database dvwa;
MariaDB [(none)]> grant all on dvwa.* to dvwa@localhost identified by 'password';
Next, flush the privileges and exit from the MariaDB with the following command:
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;
Once you are finished, you can proceed to the next step.
Download DVWA
First, you will need to download the latest version of DVWA from the Git repository. You can download it with the following command:
git clone https://github.com/ethicalhack3r/DVWA /var/www/html/
Once the download is completed, change the directory to the config directory and copy the sample configuration file:
cd /var/www/html/config/
cp config.inc.php.dist config.inc.php
Next, edit the config file with the following command:
nano /var/www/html/config/config.inc.php
Define your database details as shown below:
$_DVWA[ 'db_server' ] = '127.0.0.1'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'dvwa'; $_DVWA[ 'db_password' ] = 'password'; # You'll need to generate your own keys at: https://www.google.com/recaptcha/admin $_DVWA[ 'recaptcha_public_key' ] = '6LewiQgbAAAAAEZlwAfH88bpdk1n06gn_Qc2Cyhb'; $_DVWA[ 'recaptcha_private_key' ] = '6LewiQgbAAAAAMVHAi4wFAIt9150QqbgcOkRBSZ7';
Save and close the file when you are finished.
Note: You can generate the recapture values from the Google service.
Next, set proper permission and ownership to Apache root directory with the following command:
chown -R apache:apache /var/www/html
Next, restart the Apache and MariaDB service to apply the changes:
systemctl restart mariadb httpd
At this point, DVWA is installed and configured. You can now proceed to the next step.
Configure SELinux and Firewall
By default, SELinux is enabled in CentOS 8 so you will need to configure SELinux to access the DVWA.
Run the following command to configure to SELinux:
setsebool -P httpd_unified 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
Next, you will also need to allow port 80 through the firewalld. You can allow it with the following command:
firewall-cmd --permanent --zone public --add-port 80/tcp
Next, reload the firewalld to apply the changes:
firewall-cmd --reload
At this point, SELinux and Firewalld is configured to allow DVWA. You can now proceed to the next step.
Access DVWA Web UI
Now, open your web browser and access the DVWA web interface using the URL http://your-server-ip/setup.php. You will be redirected to the following page:
Next, click on the Reset/Database to configure DVWA database connection settings. You should see the following page:
Provide default username: admin, password: password and click on the Login button. You should see the DVWA dashboard in the following page:
Conclusion
Congratulations! you have successfully installed DVWA with Apache on CentOS 8. You can now use new techniques to hack common vulnerabilities. Feel free to ask me if you have any questions.