Penetration TestingPentest Lab Setup

How to Install DVWA in Kali Linux for Pentesting

DVWA Install on Kali Linux for Pentesting Practice (Step-by-Step)

In this tutorial, I will give you a step-by-step guide on how to set up and install DVWA in your Kali Linux system and termux.

When you start as a login tester, you will need a pentesting lab to test your login skills. One such program is the Damn Vulnerable Web Application (DVWA). DVWA is a vulnerable web application built using PHP and MySQL that allows ethics hackers to test their hacking skills and security tools.

It is also an excellent guide for professional web developers with security in mind. They can use it to learn which features of the web application are easy to use. Some of the most common web threats identified by this application include Cross-Site Request Forgery (CSRF), File Installation, SQL injection, Bruteforce attack, and much more.


What is DVWA? DVWA, or more fully the Damn Vulnerable Web App is a security risk assessment app. It is intended for people who want to get used to checking the legal entry using a legal item. Getting started with DVWA is one of the best ways to start learning legal hijacking, the app is perfectly suited for a variety of users.

The app is built with PHP and MySQL, an old duet. What does it mean for someone who is willing to study for entrance exams? That the app is easy to install on a different OS, as both PHP and MySQL work almost everywhere. Also, the fact that it is built with PHP means that it will be easier to understand fragments of DVWA code. As the app has many examples of different injuries (more on this later) used in PHP. PHP is not a very complex programming language, and there are a variety of resources that can help you understand the PHP code. install DVWA

If we go straight to the point, today we will consider DVWA, we will see how we can stop DVWA, and finally how to use DVWA, Damn Vulnerable Application.


Table of Contents



Introduction :

The Damn Vulnerable Web Application, short for DVWA, is a high-risk PHP / MySQL web application. The main goal of this test venue is to help entry inspectors and security professionals assess their skills and tools. In addition, it can help web devs better understand how to secure web applications are, and also help students/teachers learn all about web application security and potential vulnerability.

DVWA: Dangerous Web Application : install DVWA

DVWA is a high-risk web application that is coded in PHP using the MySQL website. With this amazing web application, you can familiarize yourself with standard web crashes (different levels of difficulty) using its very simple GUI. You can play and try to find as many problems as you can to deepen your knowledge / skill.

Install Devices:

  • Linux
  • Android
  • Windows


DVWA Attacks:

  • Brute-force
  • Command Injection
  • CSRF
  • File Inclusion
  • File Upload
  • Insecure CAPTCHA
  • SQL Injection / SQL Injection (Blind)
  • Weak Session IDs
  • XSS_(DOM)
  • XSS_(Reflected)
  • XSS_(Stored)
  • CSP Bypass


  • web server
  • PHP
  • MySQL
  • Other possible dependencies (depending on the OS)



How to install DVWA

There are a few requirements you may need for DVWA installation. Here is a list of key requirements (some of which there are alternatives):

  • GIT Client (required to install DVWA in Kali Linux installation in particular) – this is required to download the source code of the project. However, you can download ZIP directly from the DVWA GitHub repository. Depending on your habits, you may want to use one method or another. I recommend using GIT as it is the fastest way. However, the wget command is also an option. With wget command you won’t need GIT, that’s up to you. Keep in mind that this is especially true for Linux OS. For Windows and MAC OS, you may want to download the source code directly with your browser.
  • PHP and MySQL – both technologies are required to use DVWA. We will include installation instructions in the latest categories. Both if you are tech-savvy you are more likely to have both. If not, packages like XAMPP will make the installation as a breeze.
  • Apache – a web server is required to successfully launch DVWA. Although technically a web server like Nginx can work for the system, Apache is recommended by the project team.





Installation – Android

Installation & Setup Install Ubuntu on Android

Open Termux App , Linux & Run all command step_by_step


Installation – Linux

Step 1: Download Damn Vulnerable Web Application (DVWA) :


Setting up a compromised server is very easy. Now set up DVWA on our Kali Linux machine.
DVWA stands for Damn Vulnerable Web Application. Oh yes, it is very dangerous. In this web application security researchers, hackers or ethics criminals test their skills and use the tools in a legal environment.

DVWA is designed to adapt to common web vulnerabilities. Made with PHP and MySQL. Let’s get started without wasting time.
Instead of Linux localhost files are stored in the  /var/www/html  /var/www/html directory, so we open a terminal and change our direction in that text using the following command:

cd /var/www/html

Here we include DVWA in the GitHub storage area. To compile it use the following command:

git clone 

After cloning is complete, we rename DVWA dvwa. on its own (not necessary but it will save our effort).

mv DVWA dvwa 



Step 2: Configure DVWA :

After downloading cloning DVWA from our directory /var/www/Html, we still need to do a little activation. To get started, let’s plan to read, write, and issue permissions on the DVWA directory.
Then change the permission on the individual directory by using the following command: –

chmod -R 777 dvwa/ 


Now we have to stop this web application to work properly because we have to go into /dvwa/config directory.

cd dvwa/config 

In the screenshot above we can see the file. This file contains the default configuration. We need to make a copy of this file with the .php extension name, we are dealing with this file because in the future if something goes wrong we will have default values. So we copy this file with the .php extension name using the following command



Then use the nano editor to make changes to our newly created PHP file. write the newly created file with the  nano  editor and make the necessary changes, as shown in the image below. We will set  db_user as user and  db_password as the default. Feel free to use a different username or password.



We will make changes in this part the p@ssw0rd to pass and the user from root. Watch the following screenshot:-

Save the file (Ctrl + O, then Enter) and exit (Ctrl + X). That’s all! We have finished setting up the DVWA Web system. Let’s go ahead and configure the database (MySQL).

Step 3: Install MySQL on Kali Linux :

By default, MySQL will be pre-installed on Kali Linux. If this is not the case with you or perhaps you are experiencing MySQL, we may go ahead and install it ourselves. If you work with Debian-based distribution, MySQL comes with two packages:

  • mysql-server
  • mysql-client

In our case, we will need to install mysql-server. However, there is a catch. If you try to use the apt install MySQL-server command you will probably find an error “Mysql-server package is not available, but refers to another package. E: The ‘mysql-server’ package has no installation candidate.” That is because the mysql-server package refers to the default-mysql-server in Kali Linux and in the recent release of Debian (Debian 10). Therefore, use the command below:

sudo apt install default-mysql-server 


Step 4: Configure MySQL Database :

Next is to configure the database.
Here we have opened a new terminal window that closes the previous one. We start MySQL initially using the following command: –

service mysql start 


Log in to the MySQL database using the command below as root. If you have another superuser name set in your system, use it instead of root.

mysql -u root -p 

You will see a command to enter a password. Just hit Enter as we have not set any password. MySQL will open, as shown in the image below:

After cloning is complete, we rename DVWA dvwa. on its own (not necessary but it will save our effort).

create user 'user'@'' identified by 'pass';

Here we use this command we create a user called ‘user’ who runs the server in (localhost) and the password says ‘pass’. Remember that this username and password must be exactly the same as the login and username we entered in the web server configuration file.

In the screenshot, we can see that the question is OK. That means the user is created.
Then grant this user all the rights on the site. We, therefore, write the following command: –

grant all privileges on dvwa.* to 'user'@'' identified by 'pass';


Step 5: Configure Apache Server :

Yes, we have completed the database task, and now we are preparing the server. For this, we need to configure our apache2 server. Let’s convert our index to  /etc/php/8.1/apache2,
Here we use version 8.1, if we use another version the method may change.

cd /etc/php/8.1/apache2 


Here we prepare the php.ini file using the leafpad of any good text editor. We_used_the_mousepad_editor.

mousepad php.ini 

We need to change the allow_url_fopen and allow_url_include values. We set both ‘On‘. In some cases when we first adjust it, we may find that one or more of these settings are set to ‘Off‘. We’ve changed both of these settings to ‘On‘, as the following screenshot: –

Then we save and close the file.


Then start the apache2 server using the following command: –

service apache2 start 


Step 6: Access DVWA on Your Browser :


Let’s open the browser and navigate to first open it to open setup.php as shown in the screenshot.


That will open the setup.php web page as shown in the image:


You may see red spots as in the picture above. Do not be afraid! Scroll down and click the Create / Reset Website button.


That will create and configure the database. After some time, you will be redirected to the DVWA login page. Sign in with the following information:

  • Username – admin
  • Password – password


Once logged in, you will see the main DVWA page. In the left panel, we have a variety of attacks you can use and the DVWA Security button that lets you choose the level of security you want – Low, Medium, High, or Impossible.


Conclusion :

That’s how we install DVWA in Kali Linux. It’s so easy, isn’t it? DVWA is an excellent resource for both beginners with entry testing and expertise. What you need to do is change the safety levels depending on your skills. Feel free to share the risk you found interesting to use with our readers in the comments section.


Hello, I'm SUMAN from India. I’m currently working on Cyber Ethical Hacking Penetration Testing & Bug Bounty. I’m currently learning more about Web Design, Android ROM

Related Articles

Notify of
Inline Feedbacks
View all comments
Back to top button
Would love your thoughts, please comment.x