Damn Vulnerable Web Application (DVWA)

From Alpine Linux
Jump to: navigation, search

For testing web security tools a target which has plenty vulnerabilities is needed. The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable.

Install lighttpd, PHP, and MySql

Install the additional packages:

apk add lighttpd php5-common php5-iconv php5-json php5-gd php5-curl php5-xml php5-pgsql php5-imap php5-cgi fcgi

apk add php5-pdo php5-pdo_pgsql php5-soap php5-xmlrpc php5-posix php5-mcrypt php5-gettext php5-ldap php5-ctype php5-dom

Configure Lighttpd

Edit lighttpd.conf

vi /etc/lighttpd/lighttpd.conf

Uncomment line:

include "mod_fastcgi.conf"


Edit mod_fastcgi.conf

vi /etc/lighttpd/mod_fastcgi.conf

Edit the section:

/usr/bin/php-cgi

To:

/usr/bin/php-cgi5

Start lighttpd service and add to needed runlevel

rc-service lighttpd start && rc-update add lighttpd default

Install extra packages:

apk add php-mysql mysql mysql-client

Installing and configuring DVWA

Create the a folder named webapps

mkdir -p /usr/share/webapps/

Download the source archive and unpack it

cd /usr/share/webapps/ wget https://github.com/RandomStorm/DVWA/archive/v1.9.zip

Unpack the archive and remove it

unzip v1.9.zip rm v1.9.zip

Change the folder permissions

chmod -R 777 /usr/share/webapps/

Create a symlinks to the folder dvwa

ln -s /usr/share/webapps/dvwa/ /var/www/localhost/htdocs/dvwa

Configuration and start MySql

/usr/bin/mysql_install_db --user=mysql /etc/init.d/mariadb start && rc-update add mariadb default /usr/bin/mysqladmin -u root password 'password'

Modify the database credentials within DVWA configuration file /config/config.inc.php

nano -w /usr/share/webapps/dvwa/config/config.inc.php

To complete the setup, browse to the DVWA directory on the webserver.

http://WEBSERVER_IP_ADDRESS/dvwa

Follow the link to setup the database.