Master Web Security: Your Complete Guide to Installing DVWA on CentOS 8
For anyone serious about a career in cybersecurity, ethical hacking, or web development, hands-on experience is non-negotiable. One of the best ways to gain this experience is by practicing in a safe, controlled environment. This is where the Damn Vulnerable Web Application (DVWA) comes in—a PHP/MySQL web application that is intentionally packed with security vulnerabilities for you to discover and exploit.
Setting up your own DVWA lab is a fundamental step in learning how to identify and mitigate common web threats like SQL Injection, Cross-Site Scripting (XSS), and File Inclusion. This guide will walk you through the complete, step-by-step process of installing and configuring DVWA on a CentOS 8 server.
Prerequisites
Before we begin, ensure you have the following:
- A running instance of CentOS 8.
- Access to a user account with sudo or root privileges.
Step 1: Setting Up the LAMP Environment
DVWA is built on PHP and requires a web server and database to run. The classic “LAMP” stack (Linux, Apache, MariaDB, PHP) is the perfect foundation.
First, update your system’s package repository to ensure you have the latest software versions.
sudo dnf update -y
Install Apache Web Server
Apache (httpd) will serve the DVWA web pages. Install it using the following command:
sudo dnf install httpd -y
Once installed, start and enable the Apache service to ensure it runs automatically on boot:
sudo systemctl start httpd
sudo systemctl enable httpd
Install MariaDB Database Server
MariaDB is a popular open-source relational database and a drop-in replacement for MySQL. DVWA will use it to store its data.
sudo dnf install mariadb-server mariadb -y
Just like Apache, start and enable the MariaDB service:
sudo systemctl start mariadb
sudo systemctl enable mariadb
Install PHP and Required Extensions
DVWA requires PHP along with several specific extensions to function correctly. These extensions handle tasks like connecting to the database and processing images for CAPTCHA challenges.
sudo dnf install php php-mysqlnd php-gd php-cli php-json -y
To apply the changes, restart the Apache web server:
sudo systemctl restart httpd
Step 2: Configuring the MariaDB Database for DVWA
With the database server installed, you need to perform an initial security setup and create a dedicated database and user for DVWA.
First, run the secure installation script. This will prompt you to set a root password, remove anonymous users, and disable remote root login—all essential security best practices.
sudo mysql_secure_installation
Next, log in to the MariaDB shell using the root password you just created:
sudo mysql -u root -p
Now, create the database and user. For security, it’s crucial to use a dedicated, non-root user for the application.
CREATE DATABASE dvwa;
CREATE USER 'dvwa_user'@'127.0.0.1' IDENTIFIED BY 'YourStrongPassword';
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa_user'@'127.0.0.1';
FLUSH PRIVILEGES;
EXIT;
Remember to replace 'YourStrongPassword' with a secure password of your own.
Step 3: Downloading and Configuring DVWA
Now it’s time to download the DVWA source code and configure it to connect to your new database.
Navigate to the Apache web root directory and clone the DVWA repository from GitHub.
cd /var/www/html/
sudo git clone https://github.com/digininja/DVWA.git
sudo mv DVWA dvwa
This downloads the application into a new directory named dvwa.
Next, navigate into the DVWA config directory and copy the sample configuration file. This is the file you’ll edit with your specific settings.
cd /var/www/html/dvwa/config/
sudo cp config.inc.php.dist config.inc.php
Now, open the new config.inc.php file with a text editor like nano or vi:
sudo nano /var/www/html/dvwa/config/config.inc.php
You need to modify two key sections:
Database Credentials: Update the file with the database name, user, and password you created in the previous step.
$_DVWA[ 'db_server' ] = '127.0.0.1'; $_DVWA[ 'db_database' ] = 'dvwa'; $_DVWA[ 'db_user' ] = 'dvwa_user'; $_DVWA[ 'db_password' ] = 'YourStrongPassword';reCAPTCHA Keys (Optional but Recommended): For certain challenges to work, you need to add public and private reCAPTCHA v2 keys from Google. You can generate them for free from the Google reCAPTCHA admin console.
$_DVWA[ 'recaptcha_public_key' ] = 'YOUR_PUBLIC_KEY'; $_DVWA[ 'recaptcha_private_key' ] = 'YOUR_PRIVATE_KEY';
Save and close the file after making your changes.
Step 4: Finalizing Permissions and Firewall Rules
For DVWA to work correctly, the Apache web server needs permission to write to certain directories. You also need to adjust system security settings like SELinux and the firewall.
Set File Permissions
Change the ownership of the DVWA directory to the Apache user and group.
sudo chown -R apache:apache /var/www/html/dvwa
Configure SELinux
SELinux is a security module in CentOS that can prevent Apache from making network connections, which would block DVWA from connecting to its database. Set the correct SELinux boolean to allow this:
sudo setsebool -P httpd_can_network_connect 1
Adjust Firewall Rules
By default, the CentOS firewall will block incoming web traffic. You need to create rules to permanently allow HTTP and HTTPS traffic.
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
Accessing and Setting Up Your DVWA Lab
You’re all set! Open your web browser and navigate to your server’s setup page:
http://<your-server-ip>/dvwa/setup.php
Scroll to the bottom of the page and click the “Create / Reset Database” button. This will populate the database with the necessary tables and data.
Once complete, you will be redirected to the login page. The default credentials are:
- Username: admin
- Password: password
Crucial Security Warning
DVWA is designed to be vulnerable. Under no circumstances should you ever expose your DVWA installation to the public internet. Doing so would create a massive security risk for your server and network.
Actionable Security Tip: Always run DVWA on a private, isolated network or a virtual machine that is firewalled off from the internet. Treat it as a live, vulnerable system because that is exactly what it is.
You now have a fully functional web security lab ready for you to explore. Use it to learn, practice, and sharpen your skills in a safe and legal way. Happy hacking
Source: https://kifarunix.com/install-and-setup-dvwa-on-centos-8/
