How to Install Damn Vulnerable Web Application on CentOS 8

DVWA also called “Damn Vulnerable Web App” is a free and open-source vulnerable web application. It is designed for security professionals to test their skills and understand web application security processes. It provides a platform to experiment with new penetration testing tools and practice new exploitation techniques to exploit common vulnerabilities.

In this post, we will show you how to install a Damn Vulnerable Web App on CentOS 8 server.

Prerequisites

• A server running CentOS 8.
• A root password is configured on the server.

Install Apache, MariaDB and PHP

DVWA is PHP and MySQL-based application. So you will need to install Apache web server, MariaDB, PHP, and other required extensions to your server. You can install all of them with the following command:

dnf install httpd mariadb-server php php-pdo php-mysqlnd php-cli php-gd git -y

Once all the necessary packages are installed, edit the php.ini file with the following command:

nano /etc/php.ini

Change the following lines:

allow_url_fopen = On
allow_url_include = On
display_errors = Off

Save and close the file when you are finished then start the Apache and MariaDB service, and enable them to start at system reboot:

systemctl start httpd

systemctl enable httpd

systemctl start mariadb

systemctl enable mariadb

Once you are finished, you can proceed to the next step.

Configure MariaDB

Next, you will need to create a database and user for DVWA. First, connect to the MariaDB with the following command:

mysql

Once you are connected, create a database and user with the following command:

MariaDB [(none)]> create database dvwa;

MariaDB [(none)]> grant all on dvwa.* to [email protected] identified by 'password';

Next, flush the privileges and exit from the MariaDB with the following command:

MariaDB [(none)]> flush privileges;

MariaDB [(none)]> exit;

Once you are finished, you can proceed to the next step.

Download DVWA

First, you will need to download the latest version of DVWA from the Git repository. You can download it with the following command:

git clone https://github.com/ethicalhack3r/DVWA /var/www/html/

Once the download is completed, change the directory to the config directory and copy the sample configuration file:

cd /var/www/html/config/

cp config.inc.php.dist config.inc.php

Next, edit the config file with the following command:

nano /var/www/html/config/config.inc.php

Define your database details as shown below:

$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'dvwa';
$_DVWA[ 'db_password' ] = 'password'; 

# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin

$_DVWA[ 'recaptcha_public_key' ]  = '6LewiQgbAAAAAEZlwAfH88bpdk1n06gn_Qc2Cyhb';
$_DVWA[ 'recaptcha_private_key' ] = '6LewiQgbAAAAAMVHAi4wFAIt9150QqbgcOkRBSZ7';

Save and close the file when you are finished.

Note: You can generate the recapture values from the Google service. 

Next, set proper permission and ownership to Apache root directory with the following command:

chown -R apache:apache /var/www/html

Next, restart the Apache and MariaDB service to apply the changes:

systemctl restart mariadb httpd

At this point, DVWA is installed and configured. You can now proceed to the next step.

Configure SELinux and Firewall

By default, SELinux is enabled in CentOS 8 so you will need to configure SELinux to access the DVWA.

Run the following command to configure to SELinux:

setsebool -P httpd_unified 1

setsebool -P httpd_can_network_connect 1

setsebool -P httpd_can_network_connect_db 1

Next, you will also need to allow port 80 through the firewalld. You can allow it with the following command:

firewall-cmd --permanent --zone public --add-port 80/tcp

Next, reload the firewalld to apply the changes:

firewall-cmd --reload

At this point, SELinux and Firewalld is configured to allow DVWA. You can now proceed to the next step.

Access DVWA Web UI

Now, open your web browser and access the DVWA web interface using the URL http://your-server-ip/setup.php. You will be redirected to the following page:

<img alt="Database setup" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/06/echo/p1.png60ba05b01a40d.jpg" ezimgfmt="rs rscb3 src ng ngcb3" height="561" loading="lazy" src="data:image/svg xml,” width=”750″>

<img alt="PHP settings" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/06/echo/p2.png60ba05b033754.jpg" ezimgfmt="rs rscb3 src ng ngcb3" height="340" loading="lazy" src="data:image/svg xml,” width=”750″>

Next, click on the Reset/Database to configure DVWA database connection settings. You should see the following page:

<img alt="Login" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/06/echo/p3.png60ba05b04dc06.jpg" ezimgfmt="rs rscb3 src ng ngcb3" height="404" loading="lazy" src="data:image/svg xml,” width=”750″>

Provide default username: admin, password: password and click on the Login button. You should see the DVWA dashboard in the following page:

<img alt="DWA Dashboard" data-ezsrc="https://kirelos.com/wp-content/uploads/2021/06/echo/p4.png60ba05b06186e.jpg" ezimgfmt="rs rscb3 src ng ngcb3" height="559" loading="lazy" src="data:image/svg xml,” width=”750″>

Conclusion

Congratulations! you have successfully installed DVWA with Apache on CentOS 8. You can now use new techniques to hack common vulnerabilities. Feel free to ask me if you have any questions.