Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/digininja/DVWA/llms.txt

Use this file to discover all available pages before exploring further.

DVWA requires some initial configuration before you can use it. This guide walks through the essential setup steps.

Configuration File Setup

DVWA ships with a template configuration file that you need to copy and customize.

Copy the Config File

On Linux/macOS: 
cp config/config.inc.php.dist config/config.inc.php
```bash

On **Windows**, navigate to the `config` folder and:
1. Find `config.inc.php.dist`
2. Copy and rename it to `config.inc.php`

<Note>
  If file extensions are hidden on Windows, see [How to Make Windows Show File Extensions](https://www.howtogeek.com/205086/beginner-how-to-make-windows-show-file-extensions/).
</Note>

## Configuration File Structure

The `config/config.inc.php` file contains all key settings for DVWA. Here are the main configuration options:

### Database Management System

```php
$DBMS = getenv('DBMS') ?: 'MySQL';
Specifies which database system to use. Currently supports:
  • MySQL - MySQL or MariaDB (recommended)
  • PGSQL - PostgreSQL (currently disabled)

Database Connection

$_DVWA['db_server']   = getenv('DB_SERVER') ?: '127.0.0.1';
$_DVWA['db_database'] = getenv('DB_DATABASE') ?: 'dvwa';
$_DVWA['db_user']     = getenv('DB_USER') ?: 'dvwa';
$_DVWA['db_password'] = getenv('DB_PASSWORD') ?: 'p@ssw0rd';
$_DVWA['db_port']     = getenv('DB_PORT') ?: '3306';
```bash

<Warning>
  The database specified in `db_database` will be **entirely deleted** during setup. Use a dedicated database for DVWA.
</Warning>

### Connection Issues

If you're having problems connecting to MySQL and all variables are correct, try changing `db_server` from `localhost` to `127.0.0.1`. This fixes socket-related connection issues.

### Default Security Level

```php
$_DVWA['default_security_level'] = getenv('DEFAULT_SECURITY_LEVEL') ?: 'impossible';
Sets the initial security level for each session. Valid values:
  • low
  • medium
  • high
  • impossible
See Security Levels for details on what each level means.

Other Settings

// Default language for help pages
$_DVWA['default_locale'] = getenv('DEFAULT_LOCALE') ?: 'en';

// Disable authentication (for tool compatibility)
$_DVWA['disable_authentication'] = getenv('DISABLE_AUTHENTICATION') ?: false;
```bash

## Environment Variables (Docker)

Instead of editing the config file directly, you can set configuration options using environment variables. This is particularly useful for Docker deployments.

### Available Environment Variables

All configuration options can be set via environment variables:

- `DBMS` - Database management system
- `DB_SERVER` - Database server address
- `DB_DATABASE` - Database name
- `DB_USER` - Database username
- `DB_PASSWORD` - Database password
- `DB_PORT` - Database port
- `DEFAULT_SECURITY_LEVEL` - Initial security level
- `DEFAULT_LOCALE` - Language setting
- `DISABLE_AUTHENTICATION` - Disable login requirement
- `RECAPTCHA_PUBLIC_KEY` - reCAPTCHA public key
- `RECAPTCHA_PRIVATE_KEY` - reCAPTCHA private key
- `SQLI_DB` - SQLi lab database backend

### Docker Compose Example

Add environment variables to your `compose.yml`:

```yaml
environment:
  - DB_SERVER=db
  - DEFAULT_SECURITY_LEVEL=low
  - DEFAULT_LOCALE=en

ReCAPTCHA Setup (Optional)

The reCAPTCHA configuration is only required for the “Insecure CAPTCHA” vulnerability module.

Generate API Keys

  1. Visit Google reCAPTCHA Admin
  2. Create a new site and generate API keys
  3. Add the keys to your config file:
$_DVWA['recaptcha_public_key']  = getenv('RECAPTCHA_PUBLIC_KEY') ?: '';
$_DVWA['recaptcha_private_key'] = getenv('RECAPTCHA_PRIVATE_KEY') ?: '';
```bash

Or set them as environment variables in Docker.

<Note>
  You can skip this step if you don't plan to use the Insecure CAPTCHA module.
</Note>

## Folder Permissions

Certain directories need to be writable by the web server.

### Uploads Directory

The uploads folder must be writable for the File Upload vulnerability:

```bash
chmod 777 hackable/uploads/
Or more securely: 
chown www-data:www-data hackable/uploads/
chmod 755 hackable/uploads/
```bash

Replace `www-data` with your web server user (e.g., `apache`, `nginx`).

## SQLite3 Configuration (Optional)

By default, SQL Injection labs use MySQL/MariaDB, but you can switch to SQLite3.

### Enable SQLite Backend

Edit your config file:

```php
$_DVWA['SQLI_DB'] = SQLITE;
$_DVWA['SQLITE_DB'] = 'sqli.db';
Or set via environment variable: 
SQLI_DB=sqlite
```bash

### Install PHP SQLite Extension

On Debian/Ubuntu:

```bash
sudo apt install php-sqlite3
sudo service apache2 restart

Reset SQLite Database

If you corrupt the database: 
cp database/sqli.db.dist database/sqli.db
```bash

## Disable Authentication

Some security tools don't work well with authentication. You can disable it:

```php
$_DVWA['disable_authentication'] = true;
$_DVWA['default_security_level'] = 'low';
In this mode, you can access all features without logging in.
Disabling authentication removes all access controls. Only use this in isolated test environments.

Next Steps

After configuring the file:
  1. Set up the database
  2. Navigate to http://localhost/DVWA/setup.php
  3. Click “Create / Reset Database”
  4. Log in with the default credentials:
    • Username: admin
    • Password: password
Your DVWA installation is now configured and ready to use!