Setting Up DVWA Training Platform on Kali Linux in VMware — A Simple Guide

8 min readSep 29, 2024

What is DVWA?

DVWA stands for Damn Vulnerable Web Application. It is a purposely vulnerable web application that was designed for security professionals, students, and developers to practice identifying and exploiting web vulnerabilities in a safe, controlled environment.

The goal of DVWA is to teach users about the various security issues that can arise in web applications, such as:

SQL Injection: A type of attack where malicious SQL code is inserted into a query to manipulate a database.
Cross-Site Scripting (XSS): An attack that allows an attacker to inject malicious scripts into a web page.
Cross-Site Request Forgery (CSRF): A type of attack that tricks users into performing actions they didn’t intend to on a website.
File Upload Vulnerabilities: Where attackers upload malicious files to a web server.

Security Levels in DVWA: DVWA offers three security levels (low, medium, and high), allowing users to practice exploiting vulnerabilities in environments with varying degrees of protection:

Low Security Level: At this level, almost no input validation is performed, making all vulnerabilities easily exploitable. For example, in SQL Injection, the input fed into queries isn’t filtered, allowing for malicious code to be injected with ease.
Medium Security Level: At this level, some basic input validation is done to filter out malicious inputs, but it’s not foolproof. This level allows users to understand how attacks bypass initial protections commonly found in many applications.
High Security Level: At this level, the code is fully secured with proper input handling. Advanced input filtering techniques are used, and many attacks are prevented. This level simulates a highly secure environment, requiring more advanced techniques to find and exploit vulnerabilities.

These levels help users progressively practice and understand how to discover and fix security vulnerabilities in real-world applications.

It’s an excellent tool for beginners to practice real-world hacking techniques in a legal and safe way without worrying about harming actual websites. However, it is important to always run DVWA in an isolated environment, like a virtual machine, to avoid security risks on your main computer or network.

Why Use DVWA?

Learn and Practice: DVWA is perfect for hands-on practice with different web vulnerabilities.
Security Awareness: It helps developers and security enthusiasts learn how to secure their applications by understanding common flaws.
Multiple Security Levels: It provides low, medium, and high-security levels to give users experience with different levels of security challenges.

In short, DVWA is a great tool for anyone wanting to improve their web security skills in a safe learning environment.

Step 1: Download DVWA

Go to the web server folder: The web server stores all the files that the browser can access. We need to go to the correct folder to place the DVWA files. In Linux, this is usually the /var/www/html/ folder.

cd /var/www/html/

2. Download DVWA: To get the DVWA files, we use a tool called git that downloads files from the internet. This command downloads DVWA to your server.

sudo git clone https://github.com/digininja/DVWA.git /var/www/html/dvwa

3. Check folder contents: Now, we check if the DVWA files are in the right place.

ls /var/www/html/dvwa/

Step 2: Set Permissions

Change file permissions: We need to give permission so that anyone using the server can read, write, and execute (run) the files inside the DVWA folder.

sudo chmod -R 755 /var/www/html/dvwa

The command sudo chmod -R 755 /var/www/html/dvwa gives the file owner full control (read, write, execute), while allowing others to only read and execute the files, improving security compared to 777.

Step 3: Configure DVWA

Go to the DVWA configuration folder: We need to change some settings in the configuration file so DVWA can connect to a database. First, let’s go to the correct folder.

cd dvwa/config/

2. Check folder contents

ls

3. Rename the configuration file: There is a sample configuration file that we need to rename for DVWA to use.

sudo mv config.inc.php.dist config.inc.php

4. Edit the configuration file: We need to open the configuration file and make sure the settings for the database (where DVWA stores its data) are correct. To do this, we use a text editor called nano.

sudo nano /var/www/html/dvwa/config/dvwa_config.php

Make sure the following settings are correct:

<?php

# Database management system to use
$DBMS = 'MySQL'; // Currently only MySQL is supported

# Database variables
$_DVWA = array();
$_DVWA['db_server']   = '127.0.0.1';      // MySQL server address
$_DVWA['db_database'] = 'dvwa';           // MySQL database name
$_DVWA['db_user']     = 'dvwa';           // MySQL username
$_DVWA['db_password'] = 'p@ssw0rd';       // MySQL password
$_DVWA['db_port']     = '3306';           // MySQL port (default is 3306)

# ReCAPTCHA settings (optional, you can leave these empty if you're not using ReCAPTCHA)
$_DVWA['recaptcha_public_key']  = '';  // Your public reCAPTCHA key
$_DVWA['recaptcha_private_key'] = '';  // Your private reCAPTCHA key

# Default security level
$_DVWA['default_security_level'] = 'low';  // Default security level (low/medium/high)

?>

5. Exit MySQL:

exit

Step 4: Set Up MySQL Database

Start MySQL: DVWA needs a database to store its data. We start the MySQL service, which manages the database.

sudo service mysql start

2. Log in to MySQL: We log in to MySQL as the root (admin) user so we can set up the DVWA database.

sudo mysql -u root -p

You will be asked for your MySQL root password.

3. Create the DVWA database : If the DVWA database doesn’t already exist, we create it with this command:

CREATE DATABASE dvwa;

We can cheack the list of databases: Once you are inside the MySQL interface by running the following command to list all databases:

SHOW DATABASES;

4. View the users: list of users in the system:

SELECT User, Host FROM mysql.user;

5. Create a new user and grant permissions : We create a user for DVWA and give it access to the database.

CREATE USER 'dvwa'@'127.0.0.1' IDENTIFIED BY 'p@ssw0rd';
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'127.0.0.1';

Step 5: Configure Apache and PHP

Navigate to the correct PHP configuration file: Based on the image, you’re already in the /etc/php/8.2/apache2/ directory. This is where the PHP configuration file for Apache is located.

cd /etc/php/8.2/apache2/

2. Open the PHP configuration file: Use nano to open the php.ini file and configure the PHP settings. The php.ini file contains various settings for PHP and Apache.