Damn Vulnerable Web App Install on Fedora 16

Getting DVWA up and running takes some effort if you’ve never installed it before. The documentation is decent, but it’s spread out and not entirely complete. This is a quick install tutorial for installing DVWA with XAMPP on Fedora 16.


Download XAMPP. Open a shell, and su to root.

Extract the downloaded archive file to /opt:

tar xvfz xampp-linux-1.7.7.tar.gz -C /opt

XAMPP is now installed below the /opt/lampp directory.  Use ‘/opt/lampp/lampp start' to start

You should now see something like this on your screen:

Starting XAMPP 1.7.7...
LAMPP: Starting Apache...
LAMPP: Starting MySQL...
LAMPP started.

Test if it’s working by going to http://localhost.


Download DVWA. Unzip, and place the unzipped files in your public html folder. In this case it will be placed in ‘/opt/lampp/htdocs/’

Navigate to to test if it’s working properly. The default user/pass is admin:password.

Database Setup

To set up the database, simply click on the Setup button in the main menu, then click on the ‘Create / Reset Database’ button. This will create / reset the database for you with some data in.

If you receive an error while trying to create your database, make sure your database credentials are correct within /opt/lampp/htdocs/config/config.inc.php

The variables are set to the following by default:

$_DVWA['db_user']='root'; $_DVWA['db_password']=''; $_DVWA['db_database']='dvwa';

If you are still getting an error message when trying to create the database, it’s most likely due to your $PATH. Follow these instructions to fix it.

export PATH=$PATH:/opt/lampp/bin

ech $PATH (to verify)

mysql -u root

UPDATE mysql.user SET Password=PASSWORD(‘password’) WHERE User=’root’;

flush privileges;


mysql -u root -p [enter password to confim change]


Accessing the DVWA remotely

If you are trying to access the DVWA setup remotely from another computer on the network, you will need to delete or rename the file ‘.htaccess’. It’s located in ‘/opt/lampp/htdocs/dvwa/’. You will need to do an ls -la to view it, as it’s a hidden file. This is a known issue and should be included in future documentation. DVWA: Issue 16


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s