Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

This procedure is based on the official documentation of the DVWA. I suggest you to read it if you need more details.


The DVWA is vulnerable by design ! Do not upload it to your hosting provider’s public html folder or any Internet facing servers, as they will be compromised. It is recommend using a virtual machine (such as VirtualBox or VMware), which is set to NAT networking mode.

I do not take responsibility for the way in which any one uses this application (DVWA). I have made the purposes of the application clear and it should not be used maliciously. I have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not mt responsibility it is the responsibility of the person/s who uploaded and installed it.


We start this installation from a Debian based Linux distribution. I suggest you to use the Debian Netintall to have a minimal Linux environment.

One your Debian is fully setup, run the following command to install the dependencies. Be sure to remember the password you set while installing MySQL.

sudo apt-get -y install apache2 mysql-server php5 php5-mysql php5-gd git

Note As you can see, I’m using the sudo command. If you don’t want to run as root, install sudo by running apt-get install sudo (as root), then type sudo adduser <username> sudo to add your user as a sudoer.

Now, clone the DVWA repository in the /var/www/ folder.

cd /var/www
sudo rm -rf html
sudo git clone .

Note Be sure to add the dot (.) at the end of the git command.

Then, edit the in /var/www/config/ to configure the database password.

# Database variables
#   WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
#   Please use a database dedicated to DVWA.
$_DVWA = array();
$_DVWA[ 'db_server' ]   = '';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'root';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';

To be sure that all the challenges are running properly, we have to edit some PHP settings in /etc/php5/apache2/php.ini.

allow_url_include = On  # Allows for Remote File Inclusions
allow_url_fopen = On # Allows for Remote File Inclusions
safe_mode = Off # (If PHP <= v5.4) Allows for SQL Injection
magic_quotes_gpc = Off # (If PHP <= v5.4) Allows for SQL Injection
display_errors = Off # (Optional) Hides PHP warning messages to make it less verbose

We also have to edit the Apache configuration in /etc/apache2/sites-enabled/000-default.conf, to change the DocumentRoot with the parameter /var/www/. Then set the proper rights on the /var/www/ folder by running sudo chown -R www-data:www-data /var/www

Restart the Apache service, sudo service apache2 restart and go to http://your_ip/setup.php.

DVWA setup

Once you access the setup page, all the parameters should be green except the reCAPTCHA key.


Note The reCAPTCHA key parameter is used for the Insecure CAPTCHA challenge. It will be needed if you only want to solve the Insecure CAPTCHA challenge, but I didn’t wrote any write-up for it yet. You will have to wait !

Click on the Check / Reset Database button at the bottom of the page. If everything worked fine, you should get the following result:


Then, you on the DVWA by using the following link: http://your_ip/login.php. The default usernmame is: admin and the password is: password.

Install DVWA with Vagrant

Coming Soon