Skip to main content

Overview

This guide covers manual installation of DVWA on Debian-based Linux distributions (Debian, Ubuntu, Kali Linux, Linux Mint, etc.). This method provides maximum control and is ideal for understanding how DVWA works.
Do not upload DVWA to any Internet-facing server. DVWA is intentionally vulnerable and will be compromised. Use virtual machines with NAT networking or isolated lab environments only.

Prerequisites

  • Debian-based Linux distribution (Debian, Ubuntu, Kali, Linux Mint, Zorin OS, etc.)
  • Root or sudo access
  • Basic command-line knowledge

Automated Installation (Optional)

An unofficial automated installation script is available for Debian-based systems. While it’s been reviewed and is included here, you should review any script before running it as root. The script is maintained by @IamCarron.

One-Liner Installation

sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh)"
```bash

### Manual Script Installation

If you prefer to review the script first:

```bash
# Download the script
wget https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh

# Make it executable
chmod +x Install-DVWA.sh

# Review the script
less Install-DVWA.sh

# Run as root
sudo ./Install-DVWA.sh
After running the automated script, skip to Initialize DVWA.

Manual Installation

Update System

Before installing packages, update your system: 
sudo apt update
sudo apt upgrade -y
```bash

### Install Required Packages

Install Apache, MariaDB, PHP, and required PHP modules:

```bash
sudo apt install -y apache2 mariadb-server mariadb-client php php-mysqli php-gd libapache2-mod-php

Package Breakdown

PackageDescription
apache2Apache web server
mariadb-serverMariaDB database server
mariadb-clientMariaDB client tools
phpPHP interpreter
php-mysqliPHP MySQL/MariaDB extension
php-gdPHP image manipulation library
libapache2-mod-phpApache PHP module
DVWA works with MySQL instead of MariaDB, but MariaDB is strongly recommended as it works out of the box, whereas MySQL requires additional configuration.

Verify Services

Check that Apache and MariaDB are running: 
# Check Apache status
sudo systemctl status apache2

# Check MariaDB status
sudo systemctl status mariadb
```bash

You should see `active (running)` for both services.

**If services aren't running, start them:**

```bash
sudo systemctl start apache2
sudo systemctl start mariadb
Enable auto-start on boot: 
sudo systemctl enable apache2
sudo systemctl enable mariadb
```bash

## Configure Apache

### Enable mod_rewrite

The API vulnerability lab requires `mod_rewrite`:

```bash
sudo a2enmod rewrite

Restart Apache

Apply the changes: 
sudo apachectl restart
```bash

Or:

```bash
sudo systemctl restart apache2

Verify Apache

Open a browser and navigate to: 
http://localhost
You should see the Apache default page.

Configure PHP

DVWA requires specific PHP settings to function properly and demonstrate certain vulnerabilities.

Locate php.ini

PHP configuration files are typically located at:
  • Apache: /etc/php/8.x/apache2/php.ini
  • PHP-FPM: /etc/php/8.x/fpm/php.ini
Replace 8.x with your PHP version (e.g., 8.1, 8.2). Find your PHP version: 
php -v
```text

**Locate php.ini:**
```bash
php --ini | grep "Loaded Configuration File"

Required PHP Settings

Edit the php.ini file: 
sudo nano /etc/php/8.1/apache2/php.ini
```text

Modify or add these directives:

```ini
; Allow Remote File Inclusion (required for RFI vulnerability)
allow_url_include = On
allow_url_fopen = On

; Display errors for troubleshooting
display_errors = On
display_startup_errors = On

; Disable magic quotes (deprecated, but may appear in older PHP versions)
magic_quotes_gpc = Off

Search and Replace in nano

  1. Open the file with sudo nano /etc/php/8.1/apache2/php.ini
  2. Press Ctrl+W to search
  3. Type allow_url_include and press Enter
  4. Change the value from Off to On
  5. Repeat for other directives
  6. Press Ctrl+O to save, then Ctrl+X to exit

Restart Apache

After modifying PHP configuration: 
sudo systemctl restart apache2
```bash

Or:

```bash
sudo apachectl restart

Download DVWA

Clone the official repository: 
cd /var/www/html
sudo git clone https://github.com/digininja/DVWA.git
```bash

This creates `/var/www/html/DVWA/`.

### Using wget

Download and extract the ZIP file:

```bash
cd /var/www/html
sudo wget https://github.com/digininja/DVWA/archive/master.zip
sudo unzip master.zip
sudo mv DVWA-master DVWA

Set Permissions

Ensure the web server can read DVWA files: 
sudo chown -R www-data:www-data /var/www/html/DVWA
sudo chmod -R 755 /var/www/html/DVWA
```bash

Make the upload directory writable:

```bash
sudo chmod 777 /var/www/html/DVWA/hackable/uploads/
777 permissions are insecure and should only be used in isolated testing environments.

Configure Database

Secure MariaDB Installation

Run the security script to set a root password and remove test databases: 
sudo mysql_secure_installation
```bash

Follow the prompts:
- Set root password: **Yes** (choose a strong password)
- Remove anonymous users: **Yes**
- Disallow root login remotely: **Yes**
- Remove test database: **Yes**
- Reload privilege tables: **Yes**

### Create Database and User

Connect to MariaDB as root:

```bash
sudo mysql -u root -p
Enter your root password when prompted. Run the following SQL commands: 
CREATE DATABASE dvwa;
CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'p@ssw0rd';
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost';
FLUSH PRIVILEGES;
EXIT;
```sql

**Explanation:**
- `CREATE DATABASE dvwa;` - Creates the `dvwa` database
- `CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'p@ssw0rd';` - Creates user `dvwa` with password `p@ssw0rd`
- `GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost';` - Grants full access to the `dvwa` database
- `FLUSH PRIVILEGES;` - Reloads the grant tables

<Note>
**You cannot use the root user** with MariaDB in DVWA. You must create a dedicated database user as shown above.
</Note>

### Test Database Connection

Verify you can connect with the new user:

```bash
mysql -u dvwa -pp@ssw0rd -D dvwa
Note: There’s no space between -p and the password. If successful, you’ll see: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 10.x.xx-MariaDB-0ubuntu0.xx.xx

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [dvwa]>
Type EXIT; to quit.

Configure DVWA

Copy Configuration File

cd /var/www/html/DVWA
sudo cp config/config.inc.php.dist config/config.inc.php
```bash

### Edit Configuration

Open the configuration file:

```bash
sudo nano config/config.inc.php
Verify the database settings match your setup: 
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'dvwa';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
$_DVWA[ 'db_port' ]     = '3306';
```bash

**Common Configuration Options:**

```php
// Set default security level
$_DVWA[ 'default_security_level' ] = 'low';

// Disable authentication for automated tools
$_DVWA[ 'disable_authentication' ] = false;

// Set default locale (en or zh)
$_DVWA[ 'default_locale' ] = 'en';
Save and exit (Ctrl+O, then Ctrl+X).
If you have connection issues, try changing db_server from localhost to 127.0.0.1. This fixes socket-related problems.

Initialize DVWA

Access DVWA

Open a browser and navigate to: 
http://localhost/DVWA/
Or, if accessing from another machine on the network: 
http://<server-ip>/DVWA/
Linux is case-sensitive. The URL must be http://localhost/DVWA/ (uppercase), not http://localhost/dvwa/.

Setup Database

  1. You should see a setup page with system checks
  2. Review any warnings or errors:
    • Green ✓ = OK
    • Red ✗ = Issue that needs fixing
  3. Scroll to the bottom and click “Create / Reset Database”
This creates the necessary database tables and populates them with data.

Common Setup Errors

Database connection failed:
  • Verify credentials in config/config.inc.php
  • Ensure MariaDB is running: sudo systemctl status mariadb
  • Test manual connection: mysql -u dvwa -pp@ssw0rd -D dvwa
Uploads folder not writable:
  • Set permissions: sudo chmod 777 /var/www/html/DVWA/hackable/uploads/
Blank page:
  • Enable PHP error display in php.ini
  • Restart Apache: sudo systemctl restart apache2

Login

After database setup, you’ll be redirected to the login page. Default Credentials:
  • Username: admin
  • Password: password
Login URL: http://localhost/DVWA/login.php

Optional: Install Composer for API Module

The API vulnerability module requires vendor files installed via Composer.

Install Composer

Follow the official installation guide: 
cd ~
curl -sS https://getcomposer.org/installer -o composer-setup.php
sudo php composer-setup.php --install-dir=/usr/local/bin --filename=composer
```text

Verify installation:

```bash
composer --version

Install Vendor Files

cd /var/www/html/DVWA/vulnerabilities/api
sudo composer install
```bash

Or, if Composer is installed locally:

```bash
cd /var/www/html/DVWA/vulnerabilities/api
sudo php /path/to/composer.phar install

Troubleshooting

404 Error - Page Not Found

Cause: Files not in the expected location or wrong URL Solutions:
  1. Verify files are in /var/www/html/DVWA/
  2. Check URL is http://localhost/DVWA/ (case-sensitive)
  3. Verify Apache DocumentRoot: 
    grep DocumentRoot /etc/apache2/sites-enabled/000-default.conf


### Blank Page

**Cause:** PHP errors are hidden

**Solution:**
1. Enable error display in `php.ini`:
   ```ini
   display_errors = On
   display_startup_errors = On
  1. Restart Apache: sudo systemctl restart apache2
  2. Check Apache error logs: 
    sudo tail -n 50 /var/log/apache2/error.log


### Database Connection Refused

**Error:**
Fatal error: Uncaught mysqli_sql_exception: Connection refused 

**Cause:** MariaDB is not running

**Solution:**
```bash
sudo systemctl start mariadb
sudo systemctl enable mariadb

Access Denied for User ‘dvwa’@‘localhost’

Error: 
Database Error #1045: Access denied for user 'dvwa'@'localhost' (using password: YES)
Cause: Incorrect credentials Solution:
  1. Verify credentials in config/config.inc.php
  2. Test manual connection: mysql -u dvwa -pp@ssw0rd -D dvwa
  3. Recreate the database user if necessary (see Create Database and User)

MySQL Server Has Gone Away

Cause: Incompatibility between PHP and MySQL version Solution: Use MariaDB instead of MySQL: 
sudo apt remove mysql-server
sudo apt install mariadb-server
```bash

See [How to Migrate from MySQL to MariaDB](https://mariadb.com/resources/blog/how-to-migrate-from-mysql-to-mariadb-on-linux-in-five-steps/)

### SELinux Blocking Database Connection (CentOS/RHEL)

**Cause:** SELinux policy prevents Apache from connecting to the database

**Solution:**
```bash
sudo setsebool -P httpd_can_network_connect_db 1

Check Log Files

Apache logs are invaluable for troubleshooting: 
# Error log
sudo tail -n 50 /var/log/apache2/error.log

# Access log
sudo tail -n 50 /var/log/apache2/access.log

Security Reminders

  1. Never expose DVWA to the internet - Use NAT networking or isolated environments
  2. DVWA is intentionally vulnerable - Treat it as a compromised system
  3. Use virtual machines for additional isolation
  4. Stop services when not in use: 
    sudo systemctl stop apache2
sudo systemctl stop mariadb
  5. Do not install on production servers - DVWA is for training only

Next Steps

After successful installation:
  1. Explore different security levels (low, medium, high, impossible)
  2. Start with beginner-friendly modules like SQL Injection or XSS
  3. Read the Help documentation for each vulnerability
  4. Practice responsible disclosure and ethical hacking techniques

Additional Resources

Before submitting issues, ensure you’re running the latest code from the master branch, not just the latest release.

Build docs developers (and LLMs) love

Get started for freeTalk to us