Damn Vulnerable Web Application (DVWA)
For testing web security tools a target which has plenty vulnerabilities is needed. The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable.
Contents
Install lighttpd, PHP, and MySql
For installing the additional packages first activate community packages:
vi /etc/apk/repositories
Uncomment the following:
http://pkg.example.com/alpine/v3.11/community
Update the packagelist:
apk update
Install the additional packages:
apk add lighttpd php7-common php7-iconv php7-json php7-gd php7-curl php7-xml php7-mysqli php7-imap php7-cgi fcgi php7-pdo php7-pdo_mysql php7-soap php7-xmlrpc php7-posix php7-mcrypt php7-gettext php7-ldap php7-ctype php7-dom
Configure Lighttpd
Edit lighttpd.conf
vi /etc/lighttpd/lighttpd.conf
Uncomment line:
include "mod_fastcgi.conf"
Start lighttpd service and add to needed runlevel
rc-service lighttpd start && rc-update add lighttpd default
Install extra packages:
apk add php5-mysql mysql mysql-client
Installing and configuring DVWA
Create the a folder named webapps
mkdir -p /usr/share/webapps/
Download the source archive and unpack it
cd /usr/share/webapps/ wget https://github.com/RandomStorm/DVWA/archive/v1.9.zip
Unpack the archive and remove it
unzip v1.9.zip rm v1.9.zip
Change the folder permissions
chmod -R 777 /usr/share/webapps/
Create a symlinks to the folder dvwa
ln -s /usr/share/webapps/dvwa/ /var/www/localhost/htdocs/dvwa
Configuration and start MySql
/usr/bin/mysql_install_db --user=mysql /etc/init.d/mariadb start && rc-update add mariadb default /usr/bin/mysqladmin -u root password 'password'
Modify the database credentials within DVWA configuration file /config/config.inc.php
nano -w /usr/share/webapps/dvwa/config/config.inc.php
To complete the setup, browse to the DVWA directory on the webserver.
http://WEBSERVER_IP_ADDRESS/dvwa
Follow the link to setup the database.