In order to learn web app exploitation safely (and legally), it is useful to have practice applications to run on your local environment. Damn Vulnerable Web Application (DVWA) was created for just this purpose. DVWA contains many common web vulnerabilities such as SQL injection, XSS, and more that allow you to hone your web hacking skills.
In this article, we will go over how to install DVWA using XAMPP web server in Kali Linux.
To start, we need to download XAMPP to our Kali Linux machine at https://www.apachefriends.org/download.html. We will download the latest version listed for Linux (currently 7.2.7 at the writing of this article) and save the file.
Next we will open our terminal and navigate to our Downloads directory using: cd Downloads
Once in the Downloads directory, we use the command ls -l to get a list of the files and their permissions.
As seen in the screenshot above, we do not currently have execute permissions on the XAMPP installer. To add execute permissions, we perform the following command: chmod +x xampp-linux-x64-7.2.7-0-installer.run (note: make sure to replace the file name with the one that you currently have in your directory).
When we check the file permissions again, we have the execute permission on the file as shown by the “x” and the green color of the file name.
The next step is to run the installer using the command: ./xampp-linux-x64-7.2.7-0-installer.run.
A setup wizard will pop up to go through the steps of installing. While installing ensure the following:
- Both “XAMPP Core Files” and “XAMPP Developer Files” are checked
- Take note of the path that is being used for installation (/opt/lampp)
- Ignore the Internet pop-up and continue with the installation
- You do not need to launch XAMPP upon finishing the installation
Once XAMPP is installed, we will go to the XAMPP control panel and make sure the MySQL database server and Apache Web Server is running by doing the following:
- Navigate to /opt/lampp either in your terminal or in the files finder (from Places > Computer).
- Locate the manager-linux-x64.run and open it
- From terminal: ./manager-linux-x64.run
- From files finder: double-click
- Click “Manage Servers” tab at the top
- Make sure both servers show as “Running”
- If the status of either does not show “Running” then select it and then click “Start” on the right
To download DVWA we go to http://www.dvwa.co.uk/ and hit the big download button at the bottom of the page and save the file.
Again, we will open up our terminal and navigate to the Downloads directory and use ls -l to show the files.
The file is zipped, so we will need to unzip it using the command: unzip DVWA-master.zip.
Now that it is unzipped, we are going to rename the file from DVWA-master to dvwa for ease of use utilizing the command: mv DVWA-master dvwa.
To use DVWA in XAMPP, we will move the dvwa file to the public HTML folder within the installation path that we noted earlier (/opt/lampp). To do this we use the command: mv dvwa /opt/lampp/htdocs.
We need to go into the DVWA configuration file and remove the database password located in the folder /opt/lampp/htdocs/dvwa/config. Once navigated to the directory, we will open the file using Nano text editor (note: you can use whatever text editor you like): nano config.inc.php.dist.
Using our arrow keys, we navigate down to the db_password line and delete the password so that it just shows two quotation marks as seen below.
Next, we will hit control+o on our keyboard to write out the changes to the file then hit enter to confirm. Then we will hit control+x to exit Nano.
Once that is completed, we need to copy config/config.inc.php.dist to config/config.inc.php. While still in the config directory use the command: cp config.inc.php.dist config.inc.php
Using DVWA with XAMPP
Now that all of the installations are done, we will open up Firefox and navigate to the web address http://127.0.0.1/dvwa.
Now we need to create the database. Navigate to the bottom of the page and click the “Create / Reset Database” button.
Once the database is created, it should take you to the login page after a few seconds or you may need to navigate to the login page.
To log in use the below credentials:
- Username: admin
- Password: password
That’s it. You are logged into DVWA and you can do all of your evil deeds in a safe and legal environment. Please note that you may need to go to the “DVWA Security” tab and change the Security Level to adjust the difficulty of compromise.