For testing web security tools a target which has plenty vulnerabilities is needed. The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable.

Install lighttpd, PHP, and MySql

For installing the additional packages first activate community packages:

vi /etc/apk/repositories

Uncomment the following:

http://pkg.example.com/alpine/v3.11/community

Update the packagelist:

apk update

Install the additional packages:

apk add lighttpd php7-common php7-iconv php7-json php7-gd php7-curl php7-xml php7-mysqli php7-imap php7-cgi fcgi php7-pdo php7-pdo_mysql php7-soap php7-xmlrpc php7-posix php7-mcrypt php7-gettext php7-ldap php7-ctype php7-dom

Configure Lighttpd

Edit lighttpd.conf

vi /etc/lighttpd/lighttpd.conf

Uncomment line:

include "mod_fastcgi.conf"

Start lighttpd service and add to needed runlevel

rc-service lighttpd start && rc-update add lighttpd default

Install extra packages:

apk add php5-mysql mysql mysql-client

Installing and configuring DVWA

Create the a folder named webapps

mkdir -p /usr/share/webapps/

Download the source archive and unpack it

cd /usr/share/webapps/ wget https://github.com/RandomStorm/DVWA/archive/v1.9.zip

Unpack the archive and remove it

unzip v1.9.zip rm v1.9.zip

Change the folder permissions

chmod -R 777 /usr/share/webapps/

Create a symlinks to the folder dvwa

ln -s /usr/share/webapps/dvwa/ /var/www/localhost/htdocs/dvwa

Configuration and start MySql

/usr/bin/mysql_install_db --user=mysql /etc/init.d/mariadb start && rc-update add mariadb default /usr/bin/mysqladmin -u root password 'password'

Modify the database credentials within DVWA configuration file /config/config.inc.php

nano -w /usr/share/webapps/dvwa/config/config.inc.php

To complete the setup, browse to the DVWA directory on the webserver.

http://WEBSERVER_IP_ADDRESS/dvwa

Follow the link to setup the database.