Why we need a vulnerable web server?
Attacking on a website or server in internet without legal permission will considered as crime. Practice makes perfect, but where to practice our hacking skills ?
A simple answer is on our localhost. Localhost is a locally hosted web server it can be hosted on our PC and not connected to the internet.
There is a famous quote "There is no place like 127.0.0.1". This 127.0.0.1 is our home server or local server. This is an awesome place to learn and practice our skills. That's why it is the best place. No place can better then localhost.
How to set up ?
Setting up a vulnerable server is very easy. Now we set up DVWA in our Kali Linux machine.
DVWA stands for Damn Vulnerable Web Application. Oh yes, it is too vulnerable. In this web application security researchers, penetration testers or ethical hackers test their skills and run tools in a legal environment.
DVWA is designed for practice some most common web vulnerability. It is made with PHP and mySQL. Let's start without wasting time.
In Linux environment localhost files are stored in /var/www/html directory, so we open a terminal and change our directory to that directory using following command:
Here we clone DVWA from it's Github repository. To clone it we run following command:
After the cloning complete, we rename the DVWA to dvwa (it is not necessary but it will save our effort).
Then we change the permission on dvwa directory by using following command:-
Now we have to setup this web application to run properly for that we have to go into /dvwa/config directory.
Using ls command we can the list of files.
In the above screenshot we can see the config.inc.php.dist file. This file contains default configuration. We need to make a copy of this file with .php extension name, we are coping this file because in future if anything goes wrong then we have the default values. So we copy this file with .php extension name using following command:-
Then we check the copied file using ls command:
Then we use nano editor to make changes on our newly created PHP file.
The screenshot is following:-
We will make changes in this part the p@ssw0rd to pass and the user from root. Watch the following screenshot:-
Then we save it using CTRL+X and press Y to save changes and Enter button to save and exit.
The next is configuring the database.
Here we have opened a new terminal window closing the previous one. We start the mysql at first using following command:-
If there are no errors that means the service is started.
Now let's login to mysql using following command:-
Here in our Kali Linux root is our superuser name, if we have something else then we need to change that user.
In the password field we press Enter without typing password; because we didn't set any password for it, now mysql will open like following screenshot:-
Now to setup a database, we start with creating a new user by applying following command:-
Here using this command we are creating a user called 'user' running server on 127.0.0.1(localhost) and the password is 'pass'. Remember that this username and password should exactly same as the password and username we have entered in the configuration file of dvwa web application.
In the screenshot we can see the query is OK. That means the user is created.
Then we grant this user all the privileges over the database. For that we type following command:-
Yes, we have finished the work of database, now we configure the server. For this we need to configure our apache2 server. Let's change our directory to /etc/php/7.3/apache2
Here we are using version 7.3, if we use another version then the path might be change.
Here we configure the php.ini file using leafpad of any good text editor. We have used mousepad editor.
We need to change the allow_url_fopen and allow_url_include values. We set both of them 'On'. In some cases when we are first time configuring it, we might find that one of this or both of this configuration is set to 'Off'. We have turned both of these configuration to 'On', as the following screenshot:-
Then we save and close the file.
Then we start the apache2 server using following command:-
Let's open the browser and navigate to 127.0.0.1/dvwa/ first open will open the setup.php as shown in the screenshot.
Here we scroll down and click on "Create/Reset Database".
The default login is
- Username:- admin
- Password:- password
On the left side we can see lots of vulnerable pages are available we can practice here.
DVWA have different security levels to change those we navigate to DVWA security. There are some security levels low, medium, high, impossible. We can choose difficulty as we need.
Now we can run penetration testing tools and techniques in our localhost.
This is how we can setup DVWA, Damn Vulnerable Web Application in our Kali Linux system. This is very helpful for beginners to advanced users, because of it multilayered security levels.