Skip to main content

Important Notice

DVWA contains intentional vulnerabilities - that is its whole point. Please do not try to report them as security issues.
The clue is in its name: Damn Vulnerable Web Application contains both intentional and unintentional vulnerabilities. This is by design.

About DVWA’s Vulnerabilities

Intentional Vulnerabilities

DVWA’s main goal is to be an aid for:
  • Security professionals to test their skills and tools in a legal environment
  • Web developers to better understand the processes of securing web applications
  • Students and teachers to learn about web application security in a controlled classroom environment
The aim of DVWA is to practice some of the most common web vulnerabilities with various levels of difficulty using a simple straightforward interface.

Documented and Undocumented Vulnerabilities

There are both documented and undocumented vulnerabilities in this software. This is intentional. You are encouraged to try and discover as many issues as possible.

Why NOT to Report Vulnerabilities in DVWA

Please Don’t Submit Vulnerability Reports

To put it simply: please don’t report vulnerabilities in DVWA! Once a year or so, someone submits a report for a vulnerability they’ve found in the app. Some are well written (sometimes better than paid pen test reports), while others are just “you are missing headers, pay me”. The app has vulnerabilities - it is deliberate:
  • Most are documented - The well-documented ones that you work through as lessons
  • Some are “hidden” - Ones to find on your own

The CVE Incident

In 2023, this elevated to a whole new level when someone decided to request a CVE for one of the vulnerabilities. They were assigned CVE-2023-39848. Much hilarity ensued and time was wasted getting this corrected.
Do not request CVEs for DVWA vulnerabilities. They are intentional and documented features, not security flaws.

Showcase Your Skills Instead

If you really want to show off your skills at finding the hidden extras, we encourage you to:
  • Write a blog post about your findings
  • Create a video demonstrating the vulnerability and how you found it
  • Share your methodology to help others learn
There are probably people out there who would be interested in learning about these vulnerabilities and your process for discovering them.
If you send us a link to your blog post or video, we may even include it in the references section.

Responsible Disclosure for Project Infrastructure

While DVWA itself is intentionally vulnerable, the project infrastructure (GitHub repository, website, etc.) should not be.

When to Report

You should report security issues if you find vulnerabilities in:
  • The GitHub repository infrastructure
  • The project website
  • The documentation site
  • Build/deployment processes
  • Any non-application infrastructure

How to Report Infrastructure Issues

If you discover a legitimate security issue with the project infrastructure (not the application itself):
  1. Do not open a public GitHub issue
  2. Contact the project maintainers privately
  3. Provide detailed information about the issue
  4. Allow time for the issue to be addressed before public disclosure

What NOT to Report

Please do not report:
  • SQL injection vulnerabilities in DVWA
  • Cross-site scripting (XSS) in DVWA
  • Command injection in DVWA
  • File upload vulnerabilities in DVWA
  • Any other intentional vulnerability in the application
  • Missing security headers in DVWA
  • Any vulnerability that is part of the learning modules

Safety Warning

DVWA is damn vulnerable! Do not upload it to your hosting provider’s public HTML folder or any Internet-facing servers, as they will be compromised.
It is recommended to use:
  • A virtual machine (such as VirtualBox or VMware)
  • Set to NAT networking mode
  • Inside the guest machine, download and install XAMPP for the web server and database

Disclaimer

We do not take responsibility for the way in which anyone uses this application (DVWA). We have:
  • Made the purposes of the application clear
  • Warned that it should not be used maliciously
  • Taken measures to prevent users from installing DVWA on live web servers
If your web server is compromised via an installation of DVWA, it is not our responsibility - it is the responsibility of the person(s) who uploaded and installed it.

Educational Purpose

DVWA is designed for legal, educational purposes only. Use it to:
  • Learn about web application security
  • Practice penetration testing skills
  • Understand common vulnerabilities
  • Test security tools
  • Train development teams on secure coding

Summary

  • DVWA is intentionally vulnerable - do not report these vulnerabilities
  • Do not request CVEs for DVWA’s intentional vulnerabilities
  • Only deploy DVWA in isolated, secure environments (VMs, local networks)
  • Infrastructure issues with the project itself can be reported privately
  • Share your findings through blog posts or videos to help others learn
Created by the DVWA team

Build docs developers (and LLMs) love

Get started for freeTalk to us