Install and Setup DVWA on Rocky Linux 8

If you want to play around with Damn Vulnerable Web Application, then follow through this guide to learn how to install and setup DVWA on Rocky Linux 8 as a legal environment to run your web application security tests.

Installing DVWA on Rocky Linux 8

Install LAMP Stack on Rocky Linux 8

One of the major requirements for setting up DVWA lab is to have LAMP Stack up and running. Follow the guides below to learn how to install LAMP stack on Rocky Linux 8.

Note that we use PHP 7.4.

Install LAMP Stack with MariaDB 10 on Rocky Linux 8

Install additional PHP modules and other packages;

dnf install php-gd git vim

Create DVWA Database and Database User

Once the LAMP stack installation is done, proceed to create MariaDB DVWA database and database user.

mysql -u root -p

Create DVWA database. Replace the database name accordingly.

create database dvwa;

Create DVWA database user and grant all privileges. Replace the database user accordingly.

grant all on dvwa.* to dvwauser@localhost identified by 'Str0nGp@ssword';

Reload the privileges table and exit the database.

flush privileges;

quit

Install DVWA on Rocky Linux 8

Clone the latest version of the DVWA to Apache default web root directory, /var/www/html.

git clone https://github.com/digininja/DVWA.git /var/www/html/

Check the contents of /var/www/html/.

ls -1 /var/www/html/

about.php
CHANGELOG.md
config
COPYING.txt
docs
dvwa
external
favicon.ico
hackable
ids_log.php
index.php
instructions.php
login.php
logout.php
phpinfo.php
php.ini
README.md
README.zh.md
robots.txt
security.php
setup.php
tests
vulnerabilities

Configure DVWA on Rocky Linux 8

Setup DVWA Database Connection

Begin by renaming the sample configuration file /var/www/html/config/config.inc.php.dist to /var/www/html/config/config.inc.php

cp /var/www/html/config/config.inc.php{.dist,}

Next, edit the configuration file, /var/www/html/config/config.inc.php and set the database connection details.

vim /var/www/html/config/config.inc.php

Replace the database and database user and the password accordingly.

# Database variables
...
$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'dvwauser';
$_DVWA[ 'db_password' ] = 'Str0nGp@ssword';

Install reCAPTCHA keys

Generate recapture values from Google service.

Once generated, simply copy and paste the site key and site secret key to $_DVWA[ 'recaptcha_public_key' ] and $_DVWA[ 'recaptcha_private_key' ] respectively.

# ReCAPTCHA settings
#   Used for the 'Insecure CAPTCHA' module
#   You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ]  = '6Lc4BsMUAAAAAKs72dKl4ZTVsA8giXiN7yqQcoVz';
$_DVWA[ 'recaptcha_private_key' ] = '6Lc4BsMUAAAAAI9v0sd_xvlh_PMXTcgtqRYJ6VEd';

Save and exit the configuration file.

Restart MariaDB

systemctl restart mariadb

Configure PHP

The version PHP installed in our case here is 7.4.

php -v

PHP 7.4.6 (cli) (built: May 12 2020 08:09:15) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.6, Copyright (c), by Zend Technologies

Proceed to edit /etc/php.ini and make the following changes.

vim /etc/php.ini

• allow_url_include = On – Allows for Remote File Inclusions (RFI)
• allow_url_fopen = On – Allows for Remote File Inclusions (RFI)
• display_errors = Off – (Optional) Hides PHP warning messages to make it less verbose

Save and quit the PHP configuration file

Set the ownership of the DVWA web root directory to Web server user.

chown -R apache: /var/www/html

Restart Apache and MariaDB

systemctl restart httpd mariadb

Configure SELinux

You might experience that the apache web server user might not be allowed to write /var/www/html/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt as well as on the directory, /var/www/html/config.

Such errors as:

• [User: apache] Writable file /var/www/html/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: No
• [User: apache] Writable folder /var/www/html/config: No

To fix this, we simply set SELinux to permissive.

setenforce 0

sed -i ‘s/=enforcing/=permissive/’ /etc/selinux/config

Complete DVWA Setup from Browser

Navigate to the web browser and access your DVWA using the address, http://server-IP.

On the status check page, ensure that you fix any check whose status is red.

Next, click Create/Reset Database at the bottom to setup the DVWA database. If the database already exists, it will be reset.

After that, you are then taken to the Login screen.

Login using the default credentials: admin:password.

You should now land on DVWA welcome page.

There you go. That is it on how to setup DVWA on Rocky Linux 8. You can now run web application security testings as you wish. Enjoy.

Other Tutorials

Detecting Malicious Files with Wazuh and VirusTotal

Install and Use Nikto Web Scanner on Ubuntu 18.04

Install and Setup Nessus Scanner on Ubuntu 20.04