Damn Vulnerable Web Application (DVWA): The Classic Playground for Web App Security

Welcome to DVWA: Learn Web Security the Hands-On Way

Damn Vulnerable Web Application (DVWA) is a legendary tool in the cybersecurity world, purposefully crafted to be insecure. Built using PHP and MariaDB, DVWA is designed for learning, practicing, and testing web security techniques in a safe and controlled environment.

Whether you’re a budding ethical hacker, a seasoned pentester, or a developer trying to build more secure applications, DVWA offers a rich environment filled with real-world vulnerabilities. It’s perfect for hands-on practice with web security challenges.

Use Cases for DVWA

DVWA is ideal for:

• Practicing common web vulnerabilities like XSS, SQLi, CSRF, and file inclusion
• Testing and developing security tools in a controlled environment
• Teaching web security concepts to students in labs or classrooms
• Running Capture The Flag (CTF) competitions

The app includes both documented and hidden vulnerabilities, encouraging exploration and deep learning.

Installation and Setup

You can install DVWA in various ways based on your environment and comfort level:

1. Manual Installation

Clone the repository and set up the application using Apache, PHP, and MariaDB. You’ll need:

• Apache2
• PHP (v7.3+ recommended)
• MariaDB server and client
• PHP modules like mysqli and gd

On Debian-based systems, install dependencies using:

apt update
apt install -y apache2 mariadb-server mariadb-client php php-mysqli php-gd libapache2-mod-php

2. Docker

If you prefer containerization, DVWA has an official Docker image. After installing Docker and Docker Compose, simply run:

git clone https://github.com/digininja/DVWA.git
cd DVWA
docker compose up -d

DVWA will be available at http://localhost:4280.

3. Windows + XAMPP

Download and install XAMPP, then place the DVWA files in the htdocs directory. Detailed video guides are available for walkthroughs.

Core Features

• Multiple Security Levels: Adjust difficulty from low to high for scalable training
• Wide Vulnerability Coverage: Practice XSS, SQLi, RFI, LFI, CSRF, command injection, and more
• API Lab: Practice attacks on a dedicated RESTful API
• Authentication Bypass Configs: Optional settings for disabling login, useful for automation
• SQLite3 Support: Offers additional flexibility for SQL injection labs

Security Considerations

Important: DVWA is intentionally insecure. Never deploy it on a public-facing server. Use it within isolated virtual machines or containers with NAT networking. Misuse could lead to system compromise.

By default, login credentials are:

• Username: admin
• Password: password

Troubleshooting and Tips

DVWA provides an extensive troubleshooting guide, including help with database configuration, permission issues, blank pages, and PHP errors. Enable PHP error display for debugging, and consult the video tutorials linked in the repo for additional guidance.

Final Thoughts

DVWA remains a cornerstone for anyone serious about understanding web application security. With its flexible deployment options, layered security levels, and support for both beginner and advanced users, it’s an essential tool in the learning arsenal of any cybersecurity enthusiast or professional.

Set it up, start hacking, and level up your web security skills!