Setting up Damn Vulnerable Web App (DVWA) on Ubuntu in Azure

Getting familiar with attacks is step one of knowing what you’re up against. One way to do that is getting a vulnerable application to hit against and sharpen your skills. Nothing beats Damn Vulnerable Web App (DVWA).

Here are the steps to get Damn Vulnerable Web App up and running in the Azure environment, all done via SSH (no RDP required).

Deploy Ubuntu 16.04 LTS

As you should always use the latest Ubuntu version, it’s also important to stay ‘stable’. To that end, we recommend sticking with the Long Term Support (LTS) versions of Ubuntu to get the best support.

SSH into machine once deployed

I typically recommend Bash for Windows, installing SSH. Alternative is a PowerShell SSH here.

Add repository to get php5.6

Run the following command to add the repository to get PHP 5.6 to work on Ubuntu 16.04. DVWA requires this version of PHP as it was written for it. The DVWA app itself would need to be rewritten for later versions of PHP; thus in the meantime, do this.

  • sudo add-apt-repository ppa:ondrej/php

Update and install

After installing the new repo, let’s update what packages apt-get will discover and install the necessary packages for PHP5.6

  • sudo apt-get update
  • sudo apt-get install php5.6 php5.6-mbstring php5.6-mcrypt php5.6-mysql php5.6-xml php5.6-gd

Install mysql

Time to install MySQL

  • sudo apt-get install mysql-server

Remember password for root of mysql (we use it later)

Install Git (to pull down DVWA)

We will use Git to pull down DVWA via GitHub, so first, of course, we need git!

  • sudo apt-get install git

Clone DVWA against GitHub

Now let’s pull down the bits…

Modify DVWA settings for MySQL permissions

Time to configure DVWA to know about our MySQL settings

  • cd DVWA/
  • sudo vi config/

Modify ‘db_password’ parameter for MySQL password (from step 5):

Modify permissions to give Apache privileges to traverse directory

In order for Apache to have permissions to present or even execute any of the PHP code (the DVWA itself!), we need to give it permissions. Since this is “damn vulnerable”, let’s make it even more so with a chmod 777

  • sudo chmod -R 777 /var/www/html/DVWA

Move the PHP Config file

Now let’s move our configured DVWA file to a file that makes it of value… (done by the DVWA folks on purpose…):

  • cp config/ config/

Set apache’s Server Name

We need Apache to stop complaining about not knowing its Fully Qualified Domain Name (FQDN). Let’s give it just what it wants…

  • sudo vi /etc/apache2/apache2.conf

Configure PHP to enable Apache URL Includes

Configure to enable PHP to support “allow_url_encodes”. This is necessary for the DVWA to work.

  • sudo vi /etc/php/5.6/apache2/php.ini
  • Find “allow_url_include” parameter and set it to “On” (line 835)

Restart Apache

Now that we made changes, specifically around PHP and the permissions in the DVWA folder, we should restart the Apache service.

  • sudo /etc/init.d/apache2 restart

Ensure Azure NSG can forward HTTP traffic to this machine

All should be good. Now we just need to configure Azure to make this HTTP endpoint routable via the Network Security Group of the VM. Go to the NSG mapped to this VM and make the following changes:

  • Add to inbound security rules for HTTP traffic

Your inbound rule policies should now look like this:

Traverse in browser to public IP of Ubuntu machine

Almost done, now we just need to head to the location we just configured everything. Go to the site’s URL, adding /DVWA to it. It will forward you to the setup.php url below (knowing the application needs to be setup still).

Press “Create / Reset Database”. Watch all the successes happen 🙂

Login and one last configuration…

Hard part is done. Now we login…

User: admin
Pass: password

In DVWA Security tab, make DVWA go to “Low” settings (i.e. Vulnerable)

Happy hacking!