DVWA is made with PHP and MySQL for security professionals or aspiring security professionals to discover as many issues as possible and exploit some of the most common vulnerabilities of web platforms like SQL injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and more.
Note: This guide is for beginners. If you’re unable to complete any of the steps or encounter any error message during the installation. I encourage you to use StackOverflow for an answer.
-
Hypervisor: VirtualBox
-
Linux Distro: Kali Linux (preferably) or any other linux-based distro.
-
IMPORTANT : we need to use a virtual machine and not a connected server because DVWA is really vulnerable and should only be installed on your virtual machine with NAT.
Because DVWA is an open-source project, it's constantly being updated and improved. That's why we need to make sure that our system is up-to-date. We just need to run the following commands:
$ sudo apt update && sudo apt upgrade -y
To install apache2, we just need to run the following command:
$ sudo apt install apache2
To test it out, we just need to start it.
$ sudo systemctl start apache2
Now we just need to access http://127.0.0.1.
In this step we need to get the container from DockerHub.
The easiest way to get the DVWA working is through a ready-to-use Docker Container and for that we need to have Docker Engine Installed. We just need to run the following command:
$ sudo apt install docker.io -y
We just need to use docker pull to get the container.
$ docker pull vulnerables/web-dvwa
The best thing when it comes to Docker, is that with just a simple command we can run the container.
$ docker run --rm -it -p 80:80 vulnerables/web-dvwa
Now after running the Docker image, we have a ready-to-use DVWA Platform via our localhost. We just have to access http://localhost/login.php.
We just have to access http://localhost/login.php.
This is somewhat of the trickiest part in the guide. We need to make sure that:
- The Virtual Machine's Network mode is on Bridged so that it can be accesible from the Host machine.
- Making sure that we're connected to a network so that it can have an IP (even if we don't have Internet)
In our case, our machine's IP is
- IP: 192.168.1.156
We just have to access the http://192.168.1.156.
I advise you to take your time with the Low difficulty and working your way up from there. I also found an interesting repo made by @keewenaw.