How to install OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) in Kali Linux

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Preparation

MySQL 5.7 has changed the security model: now login to MySQL under root requires sudo (the password can still be empty). With these settings, OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) will not work.

To access MySQL / MariaDB database as an ordinary user without using sudo privileges, go to the MySQL command prompt

sudo systemctl start mysql
sudo mysql

and run the following commands:

use mysql;
update user set plugin='' where User='root';
flush privileges;
exit

Then restart the MySQL service:

sudo systemctl restart mysql.service

If you see empty pages when you open the browser, it means that you also need to switch from PHP 7.2 to PHP 7.3, as described in the article ‘Troubleshooting: Kali Linux web server shows blank pages’.

How to install OWASP Mutillidae II in Kali Linux

Create a file upd_mutillidae.sh:

gedit upd_mutillidae.sh

and copy-paste the script into the created file:

#!/bin/bash

sudo apt update
sudo apt install php-xml php-fpm libapache2-mod-php php-mysql php-gd php-imap php-mysql php-curl php-mbstring -y
sudo a2enmod proxy_fcgi setenvif
sudo systemctl restart apache2
sudo a2enconf php7.4-fpm
sudo systemctl reload apache2
sudo systemctl restart apache2.service
sudo service php7.4-fpm restart
sudo systemctl restart mysql
 
cd /tmp
git clone https://github.com/webpwnized/mutillidae
if [ $? -ne '0' ]; then
    exit 1
fi
 
if [ -d "/var/www/html/mutillidae.backup" ]; then
    sudo rm -rf /var/www/html/mutillidae.backup
fi
 
if [ -d "/var/www/html/mutillidae" ]; then
    sudo mv /var/www/html/mutillidae /var/www/html/mutillidae.backup
fi
 
sudo mkdir /var/www/html/mutillidae
sudo mv mutillidae*/* /var/www/html/mutillidae/
sudo sed -i "s/'DB_PASSWORD', 'mutillidae'/'DB_PASSWORD', ''/" /var/www/html/mutillidae/includes/database-config.inc
  
sudo chown -R www-data:www-data /var/www/html/mutillidae/
  
sudo rm -rf mutillidae*
  
cd

Run the script:

sudo bash upd_mutillidae.sh

After the installation is completed, OWASP Mutillidae II is available at http://localhost/mutillidae/.

The first time you will see:

Click «setup/reset the DB» and wait for the database populating. Next in the popup just click on ‘ОК’:

Now you are ready to learn how to hack web sites:

In addition, you can use the above script for updating OWASP Mutillidae II after release of a new version.

The script started all necessary services. Before you can get access to Mutillidae you need to start the services again every time after system restart:

sudo systemctl start php7.4-fpm.service
sudo systemctl start apache2.service
sudo systemctl start mysql

How to install Damn Vulnerable Web Application (DVWA) in Kali Linux

Create a file upd_dvwa.sh:

gedit upd_dvwa.sh

and save the script into the created file:

#!/bin/bash
 
sudo apt update
sudo apt install php php-mysql php-gd -y
 
sudo sed -i 's/allow_url_include = Off/allow_url_include = On/' /etc/php/7.4/apache2/php.ini
 
sudo systemctl restart apache2
sudo systemctl restart mysql
 
cd /tmp
 
git clone https://github.com/ethicalhack3r/DVWA.git
 
if [ -d "/var/www/html/dvwa.backup" ]; then
    sudo rm -rf /var/www/html/dvwa.backup
fi
 
if [ -d "/var/www/html/dvwa" ]; then
    sudo mv /var/www/html/dvwa /var/www/html/dvwa.backup
fi
 
sudo mkdir /var/www/html/dvwa
sudo mv DVWA*/* /var/www/html/dvwa/
 
sudo chown -R www-data:www-data /var/www/html/dvwa/
 
sudo rm -rf DVWA*
 
sudo mv /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php
sudo sed -i 's/p@ssw0rd//' /var/www/html/dvwa/config/config.inc.php
sudo sed -i "s/'db_user' ]/'db_user' ] = 'root'; \/\//" /var/www/html/dvwa/config/config.inc.php
 
cd

Run the script:

sudo bash upd_dvwa.sh

Now DVWA installation is available at http://localhost/dvwa/

Inside DVWA go to Setup / Reset DB and click on the 'Create / Reset Database' button.

You also can use the above script for updating DVWA after release of a new version.

After reboot Kali Linux, before you can reach DVWA, do not forget to start Apache and MySQL services.

If you have changed MySQL password (there is no password by default), tune the corresponding files:

  • /var/www/html/mutillidae/classes/MySQLHandler.php (for Mutillidae)
  • /var/www/html/dvwa/config/config.inc.php (for DVWA)

See also How to protect web server on Kali Linux from unauthorized access.

Recommended for you:

19 Comments to How to install OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) in Kali Linux

  1. Alex says:

    The guide and scripts are updated, they work again.

  2. Ahmed Fathy says:

    your awsome guys

  3. Alex says:

    The scripts was updated in connection with the transition of Kali Linux to PHP 7.2.

  4. Anonymous says:

    Nice article 🙂

  5. mike says:

    I have followed all steps, however when I go to the initial webpages instead of mutillidae/dvwa setup pages appearing, there is simply a blank screen.  I was wondering if you had any advice on where to start troubleshoot?

    • Alex says:

      Hello!

      Right now I repeated steps on the fresh Kali Linux installation. It is working! Did you see the link in the article: ‘Troubleshooting: Kali Linux web server shows blank pages’.

      I suppose you missed this step.

      Please check errors in the log file:

      tail /var/log/apache2/error.log
      
      • John Rich says:

        I'm getting the same thing with blank page for mutillidae…the error showing in my error.log is:

        8] PHP Fatal error:  Uncaught Error: Call to undefined function simplexml_load_file() in /var/www/html/mutillidae/owasp-esapi-php/src/reference/DefaultSecurityConfiguration.php:136\nStack trace:\n#0 /var/www/html/mutillidae/owasp-esapi-php/src/reference/DefaultSecurityConfiguration.php(116): DefaultSecurityConfiguration->_loadConfiguration('/var/www/html/m…')\n#1 /var/www/html/mutillidae/owasp-esapi-php/src/ESAPI.php(362): DefaultSecurityConfiguration->__construct('/var/www/html/m…')\n#2 /var/www/html/mutillidae/owasp-esapi-php/src/ESAPI.php(66): ESAPI::getSecurityConfiguration('/var/www/html/m…')\n#3 /var/www/html/mutillidae/index.php(157): ESAPI->__construct('/var/www/html/m…')\n#4 {main}\n  thrown in /var/www/html/mutillidae/owasp-esapi-php/src/reference/DefaultSecurityConfiguration.php on line 136
         

  6. Anonymous says:

    I followed all the steps but after clicking on setup/Reset the db, I am not getting the popup of successful setup. My db is getting set and I am seeing nothing on the index page. Please help.

  7. Del says:

    I can no longer login to mysql after running the initial mysql cmds removing the plugin.

  8. Blooder says:

    HOW TO LOGIN INTO MYSQL AFTER MUTILIDAE INSTALATION:

    After you do all the steps of the tutorial to install mutillidae, the password to login into mysql will change.

    In order to reset the database to start using mutillidae, it asks you to change the password for the root user. The new password will be 'mutillidae'.

    You can only login into mysql using this querry:

    mysql -u root -p 

    Then, mysql will ask you to enter the password. Just insert 'mutillidae'.

    I spent two entire days to solve this problem. 

    So this may be useful for someone.

     

  9. whocares says:

    Remember to write in the top of the article when it was written…last updated..we live in 2019…should be common sense. 

     

    Thanks a lot. 

  10. SecurityMonk says:

    Folks who are getting blank page is mostly because of DB is not set properly, check the following

    1. Do you have same username and password on Config file and Database

    2. Do you have permission set up for the user-created for Mutillidae and DVWA

    3. Do you have correct directory permission for Mutillidae and DVWA

  11. Alex says:

    Scripts are checked and updated on April 30, 2020 – everything works fine!

  12. Divya says:

    Hey Alex, I am launchig the mutillidae using a diffrent IP address but when i launch the mutillidae on browser  im getting 

    Forbidden
    You don't have permission to access this resource.
    Apache/2.4.29 (Ubuntu) Server at 149.165.157.203 Port 80 on the screen 

    i gave the child permissions too.

    I changed the .htacess file and gave access to my IP . 

    still its the same.

    this is my .htacess file code

    Order Allow,Deny
    Deny from all
    
    ## This allows access from localhost
    #Allow from 127.
    #Allow from localhost
    Allow from 10.0.1.17
    
    ## This is to allow access from other machines on Virtual Box host-only networks.
    Allow from 192.168.0.0/16
    Allow from 10.0.1.0/24
    
    ## The following section disables PHP magic quoting feature.
    ## Turning these on will cause issues with Mutillidae.
    ## Note: Turning these on should NEVER be relied on as a method for securing against injection attemps. 
    ## As of PHP 6 these options will be removed for exactley that reason.
    
    ## Donated by Kenny Kurtz
    
    php_flag magic_quotes_gpc off
    php_flag magic_quotes_sybase off
    php_flag magic_quotes_runtime off

    what am i doing wrong. Any help is much appreciated

    • Alex says:

      Hello! Directives Allow,Deny is deprecated with Apache 2.2. Nowadays there is Apache 2.4.* on Kali Linux.

      Please pay attention, that in your error 149.165.157.203 is mentioned, it is not local IP. If you use hostname to access your web server please check you DNS settings.

      By the way, you misspelled name of .htaccess file (not .htacess).

      Did you enable .htaccess support on your web server? It is disabled by default.

      Please with Apache 2.4.* use any of the following notation in .htaccess (to allow access for a single IP or network ranges). “Require ip” can be used multiple times.

      Require ip 10.1.2.3
      # or
      Require ip 10.1
      # or
      Require ip 10 172.20 192.168.2
      # or
      Require ip 10.1.0.0/16
      # or
      Require ip 10.1.0.0/255.255.0.0
      # or
      Require ip ::1

      By the way, please keep in mind, that settings in parent directories (including access control) can affect child directories.

  13. Anonymous says:

    nice and direct article 

  14. Alex says:

    Scripts and commands have been checked and fixed, as of August 31, 2020 everything is working fine in the latest Kali Linux.

Leave a Reply

Your email address will not be published.