How to install DVWA on Rocky Linux 8 and get a safe hacking playground
If you’ve ever wanted a deliberately insecure web app to practice SQL injection or file inclusion without breaking your production box, this guide will walk you through getting Damn Vulnerable Web Application (DVWA) up and running on Rocky Linux 8. By the end you’ll have a LAMP stack, a fresh MySQL database, and a browser‑ready DVWA instance.
Prerequisite: a clean Rocky Linux 8 install I’ve seen newbies try to bolt DVWA onto a server that already hosts production sites – the result is a mess of permission errors and SELinux complaints. Start with a fresh VM or a spare machine; it saves you an afternoon of debugging.1. Install the LAMP stack (Apache, MariaDB, PHP 7.4)
dnf install -y httpd mariadb-server php php-mysqlnd php-gd git vim
Why this matters: Apache will serve the pages, MariaDB stores DVWA’s data, and PHP is the language DVWA runs under. The php-gd package enables image handling used by some of the challenges.
Start and enable the services:
systemctl enable --now httpd mariadb
Secure MariaDB with a root password if you haven’t already:
mysql_secure_installation
2. Create a dedicated DVWA database and user
Log into MariaDB as root:
mysql -u root -p
Then run the following (replace the password with something you’ll remember):
CREATE DATABASE dvwadb; GRANT ALL ON dvwadb.* TO 'dvwauser'@'localhost' IDENTIFIED BY 'dvwapass';
FLUSH PRIVILEGES; EXIT;
Why this matters: Using a separate user limits what DVWA can do if something goes sideways – a habit that pays off later when you start testing real exploits.
3. Pull the DVWA source into Apache’s web root
git clone https://github.com/digininja/DVWA.git /var/www/html/
Check the files landed where you expect:
ls -1 /var/www/html/
You should see index.php, setup.php, a config folder, and a bunch of demo scripts.
4. Tweak the configuration file
Rename the sample config:
cp /var/www/html/config/config.inc.php.dist /var/www/html/config/config.inc.php
Edit it with your favorite editor (I stick with vim):
vim /var/www/html/config/config.inc.php
Update the DB credentials to match what you created earlier:
$_DVWA[ 'db_server' ] = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwadb';
$_DVWA[ 'db_user' ] = 'dvwauser';
$_DVWA[ 'db_password' ] = 'dvwapass';
If you want to enable the “Insecure CAPTCHA” module, paste your Google reCAPTCHA keys into the same file. Otherwise just leave the placeholders – they won’t break anything.
5. Adjust PHP settings for DVWA’s quirks
Open /etc/php.ini:
vim /etc/php.ini
Find and change (or add) these directives:
allow_url_include = On allow_url_fopen = On display_errors = Off
Why this matters: DVWA relies on remote file inclusion for many challenges; turning those options on lets the lessons work. Turning off error display keeps the UI tidy, but you can flip it back while troubleshooting.
6. Set proper ownership and SELinux context
Give Apache control over the web files:
chown -R apache: /var/www/html
SELinux often blocks writes to config or the IDS log directory. The quick‑and‑dirty fix is to set the system to permissive mode:
setenforce 0 sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
My take: If you’re comfortable with SELinux policies, create a proper module instead of disabling enforcement. For a throw‑away lab, permissive is fine.
7. Restart services
systemctl restart httpd mariadb
8. Finish the setup through the browser
Point your browser at http://<your-server-ip>/setup.php. The status page will flag any red items – most commonly the SELinux warning you just cleared.
Click Create / Reset Database. DVWA will drop and rebuild its tables, then hand you a login screen.
Default credentials are:
admin:password
Log in, explore the security level selector, and start poking at the vulnerable pages. Remember: this is a sandbox; never expose it to the internet without proper isolation.
That’s all there is to getting DVWA on Rocky Linux 8. You now have a contained environment for trying out web‑app exploits without endangering real services. Have fun breaking things (and fixing them again).
