Skip to main content
DVWA requires some initial configuration before you can use it. This guide walks through the essential setup steps.

Configuration File Setup

DVWA ships with a template configuration file that you need to copy and customize.

Copy the Config File

On Linux/macOS: 
cp config/config.inc.php.dist config/config.inc.php
```bash

On **Windows**, navigate to the `config` folder and:
1. Find `config.inc.php.dist`
2. Copy and rename it to `config.inc.php`

<Note>
  If file extensions are hidden on Windows, see [How to Make Windows Show File Extensions](https://www.howtogeek.com/205086/beginner-how-to-make-windows-show-file-extensions/).
</Note>

## Configuration File Structure

The `config/config.inc.php` file contains all key settings for DVWA. Here are the main configuration options:

### Database Management System

```php
$DBMS = getenv('DBMS') ?: 'MySQL';
Specifies which database system to use. Currently supports:
  • MySQL - MySQL or MariaDB (recommended)
  • PGSQL - PostgreSQL (currently disabled)

Database Connection

$_DVWA['db_server']   = getenv('DB_SERVER') ?: '127.0.0.1';
$_DVWA['db_database'] = getenv('DB_DATABASE') ?: 'dvwa';
$_DVWA['db_user']     = getenv('DB_USER') ?: 'dvwa';
$_DVWA['db_password'] = getenv('DB_PASSWORD') ?: 'p@ssw0rd';
$_DVWA['db_port']     = getenv('DB_PORT') ?: '3306';
```bash

<Warning>
  The database specified in `db_database` will be **entirely deleted** during setup. Use a dedicated database for DVWA.
</Warning>

### Connection Issues

If you're having problems connecting to MySQL and all variables are correct, try changing `db_server` from `localhost` to `127.0.0.1`. This fixes socket-related connection issues.

### Default Security Level

```php
$_DVWA['default_security_level'] = getenv('DEFAULT_SECURITY_LEVEL') ?: 'impossible';
Sets the initial security level for each session. Valid values:
  • low
  • medium
  • high
  • impossible
See Security Levels for details on what each level means.

Other Settings

// Default language for help pages
$_DVWA['default_locale'] = getenv('DEFAULT_LOCALE') ?: 'en';

// Disable authentication (for tool compatibility)
$_DVWA['disable_authentication'] = getenv('DISABLE_AUTHENTICATION') ?: false;
```bash

## Environment Variables (Docker)

Instead of editing the config file directly, you can set configuration options using environment variables. This is particularly useful for Docker deployments.

### Available Environment Variables

All configuration options can be set via environment variables:

- `DBMS` - Database management system
- `DB_SERVER` - Database server address
- `DB_DATABASE` - Database name
- `DB_USER` - Database username
- `DB_PASSWORD` - Database password
- `DB_PORT` - Database port
- `DEFAULT_SECURITY_LEVEL` - Initial security level
- `DEFAULT_LOCALE` - Language setting
- `DISABLE_AUTHENTICATION` - Disable login requirement
- `RECAPTCHA_PUBLIC_KEY` - reCAPTCHA public key
- `RECAPTCHA_PRIVATE_KEY` - reCAPTCHA private key
- `SQLI_DB` - SQLi lab database backend

### Docker Compose Example

Add environment variables to your `compose.yml`:

```yaml
environment:
  - DB_SERVER=db
  - DEFAULT_SECURITY_LEVEL=low
  - DEFAULT_LOCALE=en

ReCAPTCHA Setup (Optional)

The reCAPTCHA configuration is only required for the “Insecure CAPTCHA” vulnerability module.

Generate API Keys

  1. Visit Google reCAPTCHA Admin
  2. Create a new site and generate API keys
  3. Add the keys to your config file:
$_DVWA['recaptcha_public_key']  = getenv('RECAPTCHA_PUBLIC_KEY') ?: '';
$_DVWA['recaptcha_private_key'] = getenv('RECAPTCHA_PRIVATE_KEY') ?: '';
```bash

Or set them as environment variables in Docker.

<Note>
  You can skip this step if you don't plan to use the Insecure CAPTCHA module.
</Note>

## Folder Permissions

Certain directories need to be writable by the web server.

### Uploads Directory

The uploads folder must be writable for the File Upload vulnerability:

```bash
chmod 777 hackable/uploads/
Or more securely: 
chown www-data:www-data hackable/uploads/
chmod 755 hackable/uploads/
```bash

Replace `www-data` with your web server user (e.g., `apache`, `nginx`).

## SQLite3 Configuration (Optional)

By default, SQL Injection labs use MySQL/MariaDB, but you can switch to SQLite3.

### Enable SQLite Backend

Edit your config file:

```php
$_DVWA['SQLI_DB'] = SQLITE;
$_DVWA['SQLITE_DB'] = 'sqli.db';
Or set via environment variable: 
SQLI_DB=sqlite
```bash

### Install PHP SQLite Extension

On Debian/Ubuntu:

```bash
sudo apt install php-sqlite3
sudo service apache2 restart

Reset SQLite Database

If you corrupt the database: 
cp database/sqli.db.dist database/sqli.db
```bash

## Disable Authentication

Some security tools don't work well with authentication. You can disable it:

```php
$_DVWA['disable_authentication'] = true;
$_DVWA['default_security_level'] = 'low';
In this mode, you can access all features without logging in.
Disabling authentication removes all access controls. Only use this in isolated test environments.

Next Steps

After configuring the file:
  1. Set up the database
  2. Navigate to http://localhost/DVWA/setup.php
  3. Click “Create / Reset Database”
  4. Log in with the default credentials:
    • Username: admin
    • Password: password
Your DVWA installation is now configured and ready to use!

Build docs developers (and LLMs) love

Get started for freeTalk to us