Configure Web Application Penetration Testing Lab

In our previous article, you had learned how to configure a web server using Ubuntu system with the help of LAMP services for designing your own pentest lab. Today you will how to configure the famous 4 web application (DVWA, bWAPP, SQLI, and Mutillidae) inside web server for web penetration (WAPT) practices.

Let’s Begin!!

Open the terminal and login with root user and move inside html directory using the following command

Basically to operate all web application on the browser through localhost you should download and configure these web application inside html directory only.


Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications.

Download dvwa inside html using the following command.

Now type following command step by step to configure dvwa.

From given image you can see we have downloaded the file, now unzip this file using below command.

After unzip, move file and folder of DVWA-master into dvwa

 After then move inside config in order to rename into

Now open using above command, here you will observe that db_password is [email protected]  But remove the password and left it blank space for db_password.

 After leaving blank password save

Now run the web application in the browser through URL:  localhost/dvwa/setup.php

As shown in the given image a web page will get open for dvwa setup, now click on a given tab Create/ Reset Database.

Login into web application through URL: localhost/dvwa/login.php by default the username and password is admin: password respectively for login into dvwa.

Using the above step for installation you can configure dvwa in your web server and perform web penetration testing by exploiting given vulnerabilities.


buggy web application is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

Now download bwapp and then unzip that folder.

Now shift bwapp from download directory to html directory using the move command

Now you can observe we have bwapp inside html directories.

Now make following changes inside the file “setting.php” for its configuration.

Here remove the password “bug” for db_password as done above.

Now Leave blank space for db_password and then save the file.

Now browse web application through URL: localhost/bwapp/install.php

As shown in the image a web page will get open for installation; now click on the given link “click here to install wapp”. After that, your bwapp will get successfully install and will ready for penetration testing.

Now use the default username and password bee: bug for login into bwapp and start your practice.


SQLI labs to test error based, Blind boolean based, Time based.

Download SQLI dhakkan inside html directory and then unzip it.

Copy all file and folder of sqli-labs-master into sqli using the following command

Now open web application inside the browser using URL: localhost/sqli Click on “Setup/reset Database for labs”    

This will create database setup for lab and after that, it will be ready for SQL penetration testing. This lab is design for mainly SQL injection attack each lesson have different SQL error.

OWASP Mutillidae II Web Pen-Test Practice Application

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for the web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software

Download Mutillidae using the following command

Move file and folder of Mutillidae from the inside download into var/www/html by typing following command

This web application does not require extra configuration setting you can directly open it inside the browser using URL: localhost/mutillidae

Now use your pentest skill to exploit its vulnerability.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

1 Comment Configure Web Application Penetration Testing Lab

  1. Mokhamad Angga

    i just install sqli dhakkan, and i just click the Setup/Reset Database for labs like your tutorial, but not working like above, just the dhakkan like can’t connect to the phpmyadmin database
    then i try to login phpmyadmin manually, but i can’t, i configure like the tutor to ‘blank’ the password, but i just try to login manually on phpmyadmin i left blank password but can’t login, how?
    i’m so sorry, i just beginner hehe, thx


Leave a Reply

Your email address will not be published. Required fields are marked *