Install and Setup DVWA on CentOS 8

In this guide, we are going to learn how to install and Setup DVWA on CentOS 8. As you already know, DVWA, an acronym for Damn Vulnerable Web Application is a very vulnerable PHP/MySQL web application designed to help security professionals, students, web application developers to test their security skills, learn web application security and understand web application security processes respectively.

Installing DVWA on CentOS 8

Update system packages

To begin with, ensure that your system packages are up-to-date

dnf update

Install LAMP Stack on CentOS 8

Since DVWA is web application, you basically need to have a LAMP stack installed before setting DVWA. Follow the link below to learn how to install LAMP stack on CentOS 8.

How to Install LAMP Stack on CentOS 8

Create DVWA Database and Database User

After you have installed LAMP stack, proceed to create DVWA database and database user.

mysql -u root -p

Create DVWA database. You can use any database name.

create database dvwadb;

Create DVWA database user with all the privileges assigned on the DVWA db. Again replace the user and the password accordingly.

grant all on dvwadb.* to dvwamgr@localhost identified by 'mypassword';

Reload the privileges table and exit the database.

flush privileges;

quit

Configure PHP for DVWA

Install other required PHP-GD module.

dnf install php-gd

PHP 7.2 is used in this demo.

php -v

PHP 7.2.11 (cli) (built: Oct  9 2018 15:09:36) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

Proceed to edit php.ini and make the following changes.

vim /etc/php.ini

• allow_url_fopen = On – Allows for Remote File Inclusions (RFI)
• allow_url_include = On – Allows for Remote File Inclusions (RFI)
• display_errors = Off – (Optional) Hides PHP warning messages to make it less verbose

Save and quit the PHP configuration file

Install DVWA on Debian 10

In this demo, we will install DVWA on the default Apache web root directory, the /var/www/html.

Therefore, clone the DVWA github repository to the web root directory.

dnf install git

git clone https://github.com/ethicalhack3r/DVWA /var/www/html/

Configuring DVWA on CentOS 8

To begin the configuration with, rename the sample configuration file /var/www/html/config/config.inc.php.dist to /var/www/html/config/config.inc.php

cp /var/www/html/config/config.inc.php{.dist,}

Edit the configuration file, /var/www/html/config/config.inc.php and configure the database connection details.

vim /var/www/html/config/config.inc.php

...
# Database variables
#   WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
#   Please use a database dedicated to DVWA.
#
# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.
#   See README.md for more information on this.
$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwadb';
$_DVWA[ 'db_user' ]     = 'dvwamgr';
$_DVWA[ 'db_password' ] = 'mypassword';
...

Install reCAPTCHA keys

Generate recapture values from Google service.

Once generated, simply copy and paste the site key and site secret key to $_DVWA[ 'recaptcha_public_key' ] and $_DVWA[ 'recaptcha_private_key' ] respectively.

...
# ReCAPTCHA settings
#   Used for the 'Insecure CAPTCHA' module
#   You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ]  = '6LcWVswUAAAAAHPp-TlOuNcLcrw7iAWVhtOrDYFm';
$_DVWA[ 'recaptcha_private_key' ] = '6LcWVswUAAAAABssYEu10VtWinRub6b_D8zn_sSL';
...

Save and exit the configuration file.

Assign the ownership of the DVWA web configuration files to Apache.

chown -R apache:apache /var/www/html

Restart the database and Apache

systemctl restart mariadb httpd

Configure SELinux

If SELinux is running, apache user will be denied write access to the file, /var/www/html/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt as well as on the directory, /var/www/html/config. To fix this, simply execute the command below;

setsebool -P httpd_unified 1

Allow HTTPD scripts and modules to connect to the network

setsebool -P httpd_can_network_connect 1

Allow HTTPD scripts and modules to network connect to databases.

setsebool -P httpd_can_network_connect_db 1

Finalize DVWA Setup on Browser

You can now access DVWA from your preferred browser to finalize the configuration setup. Use the address, http://server-IP/setup.php

On the setup page, ensure that no setting with status red. If any, ensure you fix the issue before proceeding.

Click Reset/Database to configure DVWA database connection settings.

Since we already done this above, you will be redirected to the DVWA login interface if the DB connection details are correct.

Login using the default credentials; Username: admin, Password: password.

DVWA default dashboard.

Reference

Damn Vulnerable Web Application

Related Tutorials

How to Install and Configure DVWA Lab on Ubuntu 18.04 server

Install and Setup DVWA on Debian 10

How to Install and Use Nikto Web Scanner on Ubuntu 18.04

Install OpenVAS 10 (GVM) on Debian 10 Buster