How to Install DVWS (Damn Vulnerable Web Services) on Nginx

DVWS (Damn Vulnerable Web Services) is a deliberately vulnerable web application for learning web and API penetration testing. Below is a complete, improved step-by-step guide to install DVWS on an Ubuntu + Nginx server plus important production safety notes and alternatives.

---

Table of contents

1. Prerequisites
2. Step 1 — Update & install packages
3. Step 2 — Install PHP-FPM and required PHP extensions
4. Step 3 — Create Nginx site configuration for DVWS
5. Step 4 — Enable site & test configuration
6. Step 5 — Download DVWS and set permissions
7. Step 6 — Verify in browser
8. Extra recommendations & missing pieces added
9. Quick Docker alternative
10. Final security & ethical notes

---

Prerequisites

• A server running Ubuntu (the commands below assume Debian/Ubuntu).
• sudo privileges.
• Nginx not already serving a conflicting site on port 80 (or use alternate port).
• Important: DVWS is intentionally insecure — do not expose it to the public Internet without containment (use private network, VPN, or local VM).

---

Step 1 — Update & install base packages

sudo apt update
sudo apt upgrade -y

# install nginx, git, unzip (if needed)
sudo apt install -y nginx git unzip

---

Step 2 — Install PHP-FPM and common PHP extensions

DVWS is PHP based. Install PHP-FPM and common extensions that web apps often need. Adjust PHP version (7.4, 8.0, 8.1) to your system.

# contoh: install PHP 8.1 (ubah versi jika perlu)
sudo apt install -y php8.1-fpm php8.1-cli php8.1-mbstring php8.1-xml php8.1-curl php8.1-zip php8.1-mysql

Verify PHP-FPM socket path (you'll need this for Nginx config):

ls /run/php
# contoh output: php8.1-fpm.sock

If you use a different PHP version, update the socket path in Nginx config accordingly (e.g. /run/php/php7.4-fpm.sock or /run/php/php8.1-fpm.sock).

---

Step 3 — Configure Nginx for DVWS

Create a new site config (use vim if you edit). Example path: /etc/nginx/sites-available/dvws.

sudo vim /etc/nginx/sites-available/dvws

Paste this (adjust server_name and root to match your environment):

server {
    listen 80;
    server_name your_domain_or_ip;   # ganti dengan domain atau IP

    root /var/www/html/DVWS;
    index index.php index.html;

    # Serves static files or falls back to index.php
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # PHP processing
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        # pastikan path socket sesuai versi PHP-FPM yang terpasang
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    # Deny access to hidden files (like .env, .git)
    location ~ /\. {
        deny all;
    }

    # Optional: limit large uploads (if needed)
    client_max_body_size 10M;
}

Notes:

• Replace your_domain_or_ip with your server IP or domain.
• Check the exact php-fpm socket under /run/php and update fastcgi_pass accordingly.

---

Step 4 — Enable the site and test Nginx

# create symlink
sudo ln -s /etc/nginx/sites-available/dvws /etc/nginx/sites-enabled/

# test nginx config
sudo nginx -t

# restart nginx to apply changes
sudo systemctl restart nginx

If nginx -t reports errors, fix them before restarting.

---

Step 5 — Download DVWS and set permissions

Clone the DVWS repository into the configured root.

sudo git clone https://github.com/interference-security/DVWS.git /var/www/html/DVWS

# set owner to www-data (nginx default user) and adjust permissions
sudo chown -R www-data:www-data /var/www/html/DVWS
sudo find /var/www/html/DVWS -type d -exec chmod 755 {} \;
sudo find /var/www/html/DVWS -type f -exec chmod 644 {} \;

If DVWS needs writable directories (e.g. uploads), make only those directories writable by the web server:

sudo chown -R www-data:www-data /var/www/html/DVWS/uploads
sudo chmod 770 /var/www/html/DVWS/uploads

---

Step 6 — Access DVWS via browser

Open in your browser:

http://your_domain_or_ip/

You should see the DVWS interface. If you get a 500 / PHP error, check:

• PHP-FPM service: sudo systemctl status php8.1-fpm
• Nginx error log: /var/log/nginx/error.log
• PHP-FPM log: /var/log/php8.1-fpm.log (path may differ)

---

7 — Extra recommendations & missing items I added

I added several practical and security-related steps that were missing in the original text:

7.1 PHP extensions

Install common PHP extensions (mbstring, xml, curl, zip, mysql etc.) — many web apps require them.

7.2 Nginx nginx -t validation

Always validate Nginx config before restart.

7.3 Correct PHP socket path

Check /run/php for the right socket (or use 127.0.0.1:9000 if using TCP). Many guides forget to adjust this and PHP will fail.

7.4 Minimal permissions principle

Only make truly necessary dirs writable — avoid 777. Set owner to www-data.

7.5 Database / dependencies

If DVWS requires a database (MySQL/MariaDB), install and initialize it:

sudo apt install -y mariadb-server
sudo mysql_secure_installation
# create db/user if DVWS needs one

Read DVWS README to confirm if it requires DB setup.

7.6 Firewall & network isolation

• Use ufw to restrict access:

sudo apt install -y ufw
sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'   # 80 and 443 if you enable SSL
sudo ufw enable

• Prefer running DVWS in private network or local VM, not exposed publicly.

7.7 HTTPS (optional but recommended for realistic testing)

For real-world simulation and secure access, enable HTTPS with Let's Encrypt (only if you intend to expose it safely):

sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your_domain

For local/isolated testing, HTTPS is optional.

7.8 SELinux / AppArmor considerations

If using a distro with SELinux (CentOS/RHEL) or AppArmor restrictions, you may need to allow nginx/php-fpm access to the document root. On Ubuntu, AppArmor profiles can block access — check logs if you get permission denied.

7.9 Logging & troubleshooting

• Nginx access/error logs: /var/log/nginx/
• PHP-FPM logs (path depends on PHP version): check systemd journal or /var/log/.

7.10 Use a VM or container for safety

Because DVWS is intentionally vulnerable, run it inside:

• a local VM (VirtualBox, Vagrant), or
• an isolated Docker container, or
• a private network / VPN.

---

8 — Quick Docker alternative (safer & easier to tear down)

If you prefer Docker (recommended for isolation), do this:

# Dockerfile example (very simple)
FROM php:8.1-fpm
RUN apt-get update && apt-get install -y nginx git unzip
# install additional PHP extensions as needed
# copy DVWS into /var/www/html and configure nginx inside container or use separate nginx container

Or run a ready Nginx + PHP-FPM container and mount DVWS into /var/www/html. Using Docker Compose with separate nginx and php-fpm services is common.

---

9 — Final security and ethical notes (important)

• DVWS is intentionally vulnerable. Use only on systems you own or have explicit permission to test.
• Do not expose DVWS to the public Internet unless you fully isolate it (VPN, firewall, private subnet).
• Clean up or destroy the VM/container after testing.
• Use best practices when reusing any configuration in production (strict permissions, updated packages, remove sample/test apps).

---

10 — Troubleshooting quick checklist

• sudo nginx -t — config syntax ok?
• systemctl status php*-fpm — PHP-FPM running?
• Check socket: ls /run/php/ and match fastcgi_pass.
• Logs: /var/log/nginx/error.log, /var/log/nginx/access.log, PHP-FPM logs.
• Permissions: owner www-data:www-data, no 777.