Setting up Damn Vulnerable Web Application (DVWA) – Pentesting Lab

Configure your web application pentesting lab - 35Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. In this tutorial, we will be installing Damn Vulnerable Web Application (DVWA) on a Ubuntu virtual machine. Our attacker machine would be Kali Linux, which is also installed as a virtual machine (or virtual box). The host can be any OS, and doesn’t matter since we won’t be using it at all. An alternate configuration is when your host is either Kali or Ubuntu, in which case you need only one VM, to install their the other OS. Alternatively, you could just use a single Kali machine both as attacker as well as victim (running the vulnerable application). However, that makes things less realistic.


  1. Pr-requisites
  2. Installing DVWA
  3. Configuring DVWA
  4. Fixing the problems
  5. Changing credentials
  6. Adding recaptcha key
  7. Enabling disabled stuff
  8. Installing missing stuff
  9. Giving write privileges


You need to have Kali Linux (rolling release) and Ubuntu (I’m using 16.04) up and running. If you aren’t familiar with virtual machines and stuff, then take a break of a few days, get familiar with them, install and run a few Linux (any flavor) VMs, drink some coffee, etc. Once you’re comfortable with virtual machines (and have Kali & Ubuntu up and running), proceed onward.

You also need some minimal knowledge of Linux, networking, and web applications. As an exercise, you could try getting some free web host (a pathetic one will suffice, since you are only doing this for learning and won’t need anyone to use your website), and deploy a WordPress site. Tinker around the website, install themes and stuff to get a feel for it. Then, go one step further and deploy a WordPress instance on your Linux virtual machine. This time, don’t use the WordPress UI to do things, but instead try and figure out stuff manually. Install themes, modules, etc. on your own by placing them in the correct directory. Just tinker away, in short, till you have some level of familiarity with web applications. Versions used:

  • Ubuntu Version – 16.04.1 LTS
  • XAMPP Version – 7.1.1

Installing DVWA

This is a fairly simple procedure. Below are screenshots with explanation. At the end of the tutorial, I have listed commands that you need to type to get all this done (you can simply copy paste the commands). The unnecessary steps are not present in list of commands (in screenshots they are there to enhance your understanding oh what’s going on).

  1. First we will download DVWA.
  2. Then we read it’s doc and find out what to do.
  3. After reading doc, we realize we need to install XAMPP, we do that.
  4. After installing XAMPP, we test if it works by starting it and opening localhost on our machine.
  5. Once we’re sure that XAMPP works, we will proceed and copy DVWA files to htdocs folder of XAMPP.
  6. Now we check if localhost/DVWA-master leads us to the vulnerable app. If it does, then we did everything right.

Open Damn Vulnerable Web App website in your browser. Click on download. You’ll get an archive, extract it.

Navigate to the extracted archive. Get a lay of the land. You’ll find that there is documentation available in docs folder.

Configure your web application pentesting lab - 3

Here is the relevant section of the documentation. We need to install XAMPP. You can get it to work with any other equivalent software bundle, but for ease, let’s stick to the recommended way.

Configure your web application pentesting lab - 4

Proceed to download the XAMPP bundle. I went with the latest version (going with latest version poses a slight problem for us, while DVWA is flawed, our PHP version is perfectly patched. For now, let’s ignore this. If this cause hindrance at a later stage, then we’ll deal with it)

Configure your web application pentesting lab - 5

Navigate to downloads directory and run the installer for XAMPP.

Configure your web application pentesting lab - 6

Realise that you forgot to run the installer as root! (kudos if you ran as root and didn’t make the same mistake as me)

Configure your web application pentesting lab - 7

Run installer as root.

Configure your web application pentesting lab - 8

It’s a simple installer. You’d know what to do.

Configure your web application pentesting lab - 9

Wait for it to finish.

Configure your web application pentesting lab - 10

Start the XAMPP server (note that the directory is lampp in linux systems)

Check if your server is running by typing or localhost on your browser. XAMPP is now up and running properly. Let’s run our vulnerable app on XAMPP now.

Configure your web application pentesting lab - 12

As suggested by the documentation, we simply move our folder into the htdocs directory.

Configure your web application pentesting lab - 13

Open the localhost/DVWA-master URL and you’ll see that everything works as expected. Our initial setup is successfully done.

There is still further configuration to be done, but I don’t want to extend the tutorial any further. After the next section, there is link to part 2 of this series.


For below commands to work, ensure the following-

  • – this file downloaded and is located in Downloads folder
  • DWVA-master directory is located in home folder (the archive to be downloaded and extracted to obtain this directory).
  • Replace VERSION with the version you have downloaded ( in my case)

Here are the commands-

cd ~/Downloads
chmod a+x
cd ~
sudo ./
sudo mv ~/DWVA-master/ /opt/lampp/htdocs/


  1. Read about localhost (what does this URL signify –
  2. Commands used – ls, cd, mv, sudo. Use man pages to find out what these mean (eg. type man mv into the terminal)

Check Also

hexdump - blackMOREOps - 2

Change IP address in packet capture file (faking IP)

I'm sure you bumped into situations where you needed to fake IP address in a capture file. This maybe required when you're trying to send the capture file to someone that you don't really share your real IP's with or you just want to change cause you can. If you've tried this and looked around the interwebs, you'd surely know that there's not many guides available and most people would just tell casually "just use sed" or use "WireEdit" and pay some fees for their license. Now, both works but I just got pissed off in a particular situation where sed wasn't an options (the file was literally few GB's in size and most text editors would just freeze) and to make things worse, I needed to filter a lot of info and only keep source and destination IP addresses in there for privacy's sake. Yeah, that means removing all those noises like DNS, UDP, Broadcast, Cisco ARP, Broadcast, MDNS (yes, that too), SSDP ... yes, pretty much anything except TCP/UDP, HTTP and TLS trarffic between my server and the destination server. So, in summary I had to filter all of these noises and change IP address in packet capture file to hide source IP address, this is similar to faking IP address in packet captures. You can also use other tools to do it on the fly but they require more setup and all I just wanted to do is to hide my source IP.

SamSam Ransomware

SamSam Ransomware

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the …

Use, Twitter, Facebook, or Google+ accounts to comment (anonymous comments allowed)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.