How to setup DVWA on kali linux 2016/Ubuntu.

Setup dvwa on kali linux and ubuntu.

What is dvwa?

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.


How to setup DVWA on kali linux 2016/Ubuntu.
  • go to this link and and download zip file & extract it. OR open terminal and enter:

git clone

setup dvwa

  • now you should have DVWA folder and have some files in it. copy DVWA folder to /var/www/html.
  • Set permission of dvwa folder to 755 by Open Terminal and type

“chmod -R 755 /var/www/html/DVWA and Press enter”


  • start apache:

“service apache2 start”

  • start mysql server:

“service mysql start”

setup dvwa

  • open mysql
  • Create Database for DVWA, type below command and Press enter.

“mysql -u root -p”

setup dvwa

  • again press enter without entering any password.
  • type:

“create database dvwa;”

  • after above command type exit and press enter.


open browser and enter in url bar

A dvwa page will open click on create/reset database.

refresh page,

a login page will open.

enter “admin” as user name and “password” as password.

setup dvwa

you have successfully setup dvwa on your machine.

Note: Setup dvwa on kali and ubuntu are same procedure, you can follow this for ubuntu and kali linux both.


if you get error to connecting database. open your config file and delete password for db_password  parameter:

so now you should have value like below line:

$_DVWA[ ‘db_password’ ] = ‘ ‘;

save file refresh browser page.


Next Tutorial will be How to perform a xss attack on dvwa.

update: Setup pentesting lab for xss vulnerabilities on Kali linux

feel free to ask any question.





11 thoughts on “How to setup DVWA on kali linux 2016/Ubuntu.

Leave a Reply

Your email address will not be published. Required fields are marked *