Skip to main content

Damn Vulnerable Web Application

Practice web application security testing in a controlled environment. Master SQL injection, XSS, CSRF, and 18+ vulnerability types across four difficulty levels.

Get StartedExplore Vulnerabilities

Quick Start

Get DVWA running in minutes and start your security training journey.

1

Download or clone DVWA

Get the latest version from the official GitHub repository:
git clone https://github.com/digininja/DVWA.git
cd DVWA
Alternatively, download the ZIP file and extract it.
2

Deploy using Docker (Recommended)

The fastest way to get started is with Docker Compose:
docker compose up -d
DVWA will be available at http://localhost:4280. The default credentials are:
  • Username: admin
  • Password: password
Docker automatically handles PHP, MariaDB, and Apache configuration. No manual setup required.
3

Set up the database

After accessing DVWA, click Setup DVWA in the main menu, then click Create / Reset Database. This initializes the database with test data including five user accounts with various security weaknesses.
4

Choose your security level

Navigate to DVWA Security and select your difficulty level:
  • Low: Minimal to no security controls
  • Medium: Basic security measures with flaws
  • High: More robust security with exploitable weaknesses
  • Impossible: Secure implementations for learning proper defenses
Start with Low to understand each vulnerability before progressing to harder levels.

Explore Vulnerabilities

Master 18+ vulnerability types with hands-on exercises at multiple difficulty levels.

SQL Injection

Learn to identify and exploit SQL injection vulnerabilities in database queries.

Cross-Site Scripting

Practice reflected, stored, and DOM-based XSS attacks.

Command Injection

Execute arbitrary system commands through vulnerable input fields.

CSRF Attacks

Exploit Cross-Site Request Forgery vulnerabilities.

File Upload

Bypass file upload restrictions to execute malicious code.

Brute Force

Practice password cracking and authentication bypass techniques.

Training Features

DVWA provides everything you need for comprehensive web security training.

Four Security Levels

Progress from Low (vulnerable) to Impossible (secure) to understand both exploitation and defense.

View Source Code

Examine the vulnerable code at each security level to understand exactly what went wrong.

Built-in Help

Each vulnerability module includes documentation, objectives, and hints for each difficulty level.

Multiple Deployment Options

Deploy with Docker, XAMPP, or manually on Linux. Choose the method that works best for your environment.

Deployment Options

Choose the deployment method that fits your workflow.

Docker

The fastest way to get started. Automated setup with containers.

XAMPP

Cross-platform Apache, MySQL, and PHP stack for Windows, Mac, and Linux.

Linux Manual

Full control with manual Apache and MariaDB installation.

Important Security Warning

DVWA is intentionally vulnerable. Never deploy it to a production server or any Internet-facing environment. Use it only in isolated virtual machines or containers with NAT networking.

If your web server is compromised via DVWA, it is your responsibility. We have provided clear warnings and security guidelines. Always run DVWA in a sandboxed environment.

Resources & Support

Get help, contribute, and connect with the community.

Troubleshooting

Solve common installation and configuration issues.

Contributing

Help improve DVWA by contributing code, documentation, or translations.

Ready to Start Your Security Training?

Set up DVWA in minutes and begin practicing real-world web application vulnerabilities.

Get Started Now