Let’s walk through how to set up the Damn Vulnerable Web Application (DVWA) on Kali with Docker so that you can test your skills and tools in a safe and legal environment.
The beauty of using Docker is that you can set up the application in a container and spin it up or down whenever you want it with just a simple command, instead of having to download extra software, configure that software, and inevitably waste time with frustrating troubleshooting because random things aren’t working as they are supposed to!
Once you have Docker installed, all it takes is a simple command and a couple of minutes to get the application up and running.
Installing Docker on Kali Linux
For reference, the main repository for this project is: https://github.com/ethicalhack3r/DVWA
To start off, let’s find the DVWA image on Docker Hub.
As we can see from the instructions on that page, once we have Docker installed, we can run this simple command on our Kali Linux environment in order to get it running (but if you don’t have Kali already installed, refer to these resources for help and then come back to this article):
docker run --rm -it -p 80:80 vulnerables/web-dvwa
So if you already have Docker installed on your system, you should be able to go ahead and run this command. But I’m assuming you don’t since you’re reading this, so we’ll come back to that in a moment because first, we have to install Docker on Kali.
sudo apt update sudo apt install -y docker.ioCode language: CSS (css)
At this point, docker service is started but not enabled. If you want to enable docker to start automatically after a reboot, which won’t be the case by default, you can type:
sudo systemctl enable docker --now
The last step is to add our non-root user to the docker group so that we can use Docker:
sudo usermod -aG docker $USERCode language: PHP (php)
We now need to reload settings so that this permissions change applies.
The best way to reload permissions, though, is to log out and back in. If that doesn’t work, try to reboot the system. Otherwise, you may found that other terminal windows haven’t reloaded settings and you may get “permission denied” errors. But, if you’d rather not log out or reboot at this time, you can use the above command.
Installing the DVWA on Kali with Docker
Now, we can go back to this command that we saw earlier:
docker run --rm -it -p 80:80 vulnerables/web-dvwa
You’ll have to wait until it downloads the needed images and starts the container. After that, it will show you the apache access logs so you can see requests going through the webserver.
You can navigate to 127.0.0.1 in your browser in order to access the web application.
It will ask you to login, and you can use the username admin and password password.
Initially, you will be redirected to localhost/setup.php where you can check configurations and then create the database.
Optional: Fixing configuration errors
You’ll notice that a few things weren’t configured properly (denoted in red). If you’re interested in fixing those, you can enter the running container by using this command from a different terminal window:
docker container ls
Which will give you the ID of the container, so that we can then:
docker exec -it [container-id] bashCode language: CSS (css)
Replace [container-id] with the actual id, like: 4c01db0b33ac
Docker exec runs a command in a running container, and -it is combining two options:
- -i or, -interactive; which keeps STDINput open
- -t or, -tty which allocates a pseudo-TTY; giving a communication channel by making it look like a physical terminal without being one…so it looks like we are SSHing into the container, even though we’re not really SSHing.
Combining those options and commands is what allows us to interact with the container. One easier way to remember this command is that -it sounds like -interact — ie: I want to interact with this running container!
Anyway, once we’re inside the container, we can modify configuration files to fix any errors that we saw with the configurations.
The app configuration files are mostly in /var/www/html
I like to use vim when editing files on Linux, so I’ll install that.
For example, if we want to enable captcha settings, we need to generate a key, and then we can put it in /var/www/html/config/config.inc.php:
Find the lines in that configuration file that talk about captcha settings, and you will find instructions along with a URL to generate the keys.
If you’re not familiar with vim, you can use arrows on your keyboard to navigate. Use the letter
i to ‘insert’ (allowing you to type), then
:x to save changes and exit the file.
Once you save the file, you may have to restart apache and/or the PHP engine in order for the configuration changes to apply.
Once you refresh the page, the captcha issue should now be green!
For more help on fixing configuration issues, please refer to the main GitHub repository.
Have fun! Now that we installed the DVWA on Kali with Docker, play around with the different vulnerabilities and the different difficulty levels.
Learn more about AppSec and Pentesting web applications
If you’d like to try a brute force attack, SQL injection attack, or Cross-Site Scripting attack on the DVWA on Kali with Docker, or if you’d like to learn more about Application Security in general, check out our Introduction to Application Security course!
We also have forum discussions where you can ask questions if you need any help!
Thanks for reading, and have fun!