Skip to main content

Overview

XAMPP is the easiest way to install DVWA on Windows and macOS. It provides Apache, MySQL (MariaDB), PHP, and phpMyAdmin in a single package with a simple graphical interface.
Do not upload DVWA to your hosting provider’s public HTML folder or any Internet-facing servers. DVWA is intentionally vulnerable and will be compromised. Use it only in isolated environments like virtual machines with NAT networking.

What is XAMPP?

XAMPP is a free, open-source web server solution stack package that includes:
  • Apache - Web server
  • MariaDB/MySQL - Database server
  • PHP - Server-side scripting language
  • Perl - Programming language
  • phpMyAdmin - Web-based database management tool
  • FTP Server - File transfer protocol server
It works on Linux, Windows, macOS, and Solaris.

Download XAMPP

Download the latest version from the official website: https://www.apachefriends.org/ Select the version for your operating system (Windows, macOS, or Linux).

Installation

Windows Installation

  1. Run the XAMPP installer (may require administrator privileges)
  2. Select components - Ensure at least Apache, MySQL, PHP, and phpMyAdmin are selected
  3. Choose installation directory - Default is C:\xampp
  4. Complete the installation
  5. Launch XAMPP Control Panel

macOS Installation

  1. Open the XAMPP DMG file
  2. Drag XAMPP to Applications folder
  3. Open XAMPP from Applications
  4. Grant necessary permissions when prompted
  5. Launch the XAMPP Control Panel (manager-osx)
For a detailed Windows installation walkthrough, watch Installing DVWA on Windows using XAMPP.

Start Services

In the XAMPP Control Panel:
  1. Start Apache - Click the “Start” button next to Apache
  2. Start MySQL - Click the “Start” button next to MySQL
Verify both services show “Running” status.

Verify Apache

Open a browser and navigate to: 
http://localhost
You should see the XAMPP welcome page.

Verify MySQL

Navigate to: 
http://localhost/phpmyadmin
You should see the phpMyAdmin interface.

Download DVWA

You can obtain DVWA in two ways:

Option 1: Download ZIP

  1. Visit https://github.com/digininja/DVWA
  2. Click Code → Download ZIP
  3. Extract the ZIP file

Option 2: Clone with Git

If you have Git installed: 
git clone https://github.com/digininja/DVWA.git
```bash

## Install DVWA to XAMPP

### Locate the htdocs Directory

**Windows:** `C:\xampp\htdocs`
**macOS:** `/Applications/XAMPP/htdocs`
**Linux:** `/opt/lampp/htdocs`

### Copy DVWA Files

1. **Copy or move** the DVWA folder to the htdocs directory
2. The structure should be:
htdocs/ └── DVWA/ ├── config/ ├── vulnerabilities/ ├── index.php └── … 

<Note>
Linux is case-sensitive. The folder is named `DVWA` (uppercase), so you'll access it at `http://localhost/DVWA`, not `http://localhost/dvwa`.
</Note>

## Configure PHP

DVWA requires specific PHP settings to work properly and demonstrate certain vulnerabilities.

### Locate php.ini

**Windows:** `C:\xampp\php\php.ini`
**macOS:** `/Applications/XAMPP/etc/php.ini`
**Linux:** `/opt/lampp/etc/php.ini`

Or use the XAMPP Control Panel:
- Click **Config** next to Apache → Select **PHP (php.ini)**

### Required PHP Settings

Open `php.ini` in a text editor and modify these directives:

```ini
; Enable Remote File Inclusion (required for RFI vulnerability)
allow_url_include = On
allow_url_fopen = On

; Display all errors (helps with debugging)
display_errors = On
display_startup_errors = On

; Disable magic quotes (if present in your PHP version)
magic_quotes_gpc = Off

Apply Changes

After editing php.ini:
  1. Save the file
  2. Restart Apache from the XAMPP Control Panel (Stop → Start)

Database Setup

Create Database and User

  1. Open phpMyAdmin: Navigate to http://localhost/phpmyadmin
  2. Create the database:
    • Click the SQL tab
    • Run the following SQL commands:
    CREATE DATABASE dvwa;
CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'p@ssw0rd';
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost';
FLUSH PRIVILEGES;


   Alternatively, use the **Databases** tab:
   - Enter `dvwa` as the database name
   - Click **Create**

3. **Create the user** (if not using SQL method):
   - Click **User accounts****Add user account**
   - Username: `dvwa`
   - Host: `localhost`
   - Password: `p@ssw0rd`
   - Under "Database for user account", select **Grant all privileges on database `dvwa`**
   - Click **Go**

<Note>
If using MariaDB (default in XAMPP), you **cannot** use the root user for DVWA. You must create a dedicated user as shown above.
</Note>

## Configure DVWA

### Copy Configuration File

DVWA includes a template configuration file that needs to be copied:

**Windows:**
```bash
copy C:\xampp\htdocs\DVWA\config\config.inc.php.dist C:\xampp\htdocs\DVWA\config\config.inc.php
macOS/Linux: 
cp /Applications/XAMPP/htdocs/DVWA/config/config.inc.php.dist /Applications/XAMPP/htdocs/DVWA/config/config.inc.php
```bash

Or copy manually using File Explorer/Finder:
- Navigate to `htdocs/DVWA/config/`
- Copy `config.inc.php.dist`
- Paste and rename to `config.inc.php`

<Warning>
On Windows, if file extensions are hidden, you might create `config.inc.php.txt` by mistake. Enable "File name extensions" in File Explorer's View menu. See [How to Make Windows Show File Extensions](https://www.howtogeek.com/205086/beginner-how-to-make-windows-show-file-extensions/).
</Warning>

### Edit Configuration File

Open `config/config.inc.php` and verify the database settings:

```php
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'dvwa';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
$_DVWA[ 'db_port' ]     = '3306';
These should match the database credentials you created in phpMyAdmin.
If you have connection issues, try changing db_server from localhost to 127.0.0.1. This fixes socket-related problems on some systems.

Set Folder Permissions

The upload directory must be writable by the web server: Windows:
  1. Right-click DVWA/hackable/uploads/
  2. Properties → Security → Edit
  3. Add Users or Everyone with Full Control (for testing only)
macOS/Linux: 
chmod 777 /Applications/XAMPP/htdocs/DVWA/hackable/uploads/
```bash

<Warning>
777 permissions are highly insecure. Only use this in isolated testing environments, never on production systems.
</Warning>

## Initialize DVWA

1. **Open DVWA in your browser:**
http://localhost/DVWA/ 

2. **You should see a setup page.** If not, check:
   - Apache and MySQL are running in XAMPP Control Panel
   - You're using `http://localhost/DVWA/` (case-sensitive)
   - PHP configuration is correct

3. **Click "Create / Reset Database"**

   This creates the necessary database tables and populates them with default data.

4. **If you see errors:**
   - Database connection errors: Verify credentials in `config.inc.php`
   - Permission errors: Check folder permissions on `hackable/uploads/`
   - Blank page: Enable `display_errors` in `php.ini` and restart Apache

## Login

After database initialization, you'll be redirected to the login page.

**Default Credentials:**
- **Username:** `admin`
- **Password:** `password`

Login URL: `http://localhost/DVWA/login.php`

## Verify Installation

After logging in:

1. Check the **DVWA Security** page (in the menu) to see current security level
2. Try accessing a vulnerability module (e.g., SQL Injection)
3. Review the **PHP Info** page to confirm PHP configuration

## Troubleshooting

### Apache Won't Start

**Port 80 conflict:**
- Another service (Skype, IIS, etc.) may be using port 80
- Stop the conflicting service or change Apache's port:
  - XAMPP Control Panel → Config (Apache) → httpd.conf
  - Change `Listen 80` to `Listen 8080`
  - Restart Apache and access DVWA at `http://localhost:8080/DVWA/`

**Port 443 conflict:**
- Similar to port 80, change in httpd-ssl.conf

### MySQL Won't Start

**Port 3306 conflict:**
- Another MySQL/MariaDB instance may be running
- Stop the conflicting service or change MySQL port in XAMPP config

**Service not initialized:**
- Try reinstalling XAMPP
- Check MySQL error logs in `xampp/mysql/data/`

### Database Connection Failed
Database Error #1045: Access denied for user ‘dvwa’@‘localhost’ 

**Solutions:**
1. Verify credentials in `config.inc.php` match those created in phpMyAdmin
2. Test connection via command line:
   ```bash
   # Windows
   C:\xampp\mysql\bin\mysql.exe -u dvwa -pp@ssw0rd -D dvwa
   
   # macOS/Linux
   /Applications/XAMPP/bin/mysql -u dvwa -pp@ssw0rd -D dvwa
  1. Recreate the database user in phpMyAdmin

Blank Page After Accessing DVWA

Cause: PHP errors are hidden Solution:
  1. Enable error display in php.ini: 
    display_errors = On
display_startup_errors = On

2. Restart Apache
3. Refresh the page to see the actual error

### File Upload Not Working

**Cause:** Insufficient permissions on upload directory

**Solution:**
- Verify `hackable/uploads/` is writable by the web server
- On Windows: Grant **Full Control** to **Users** or **IUSR**
- On macOS/Linux: `chmod 777 hackable/uploads/`

### 404 Error - Page Not Found

**Common causes:**
1. Wrong URL (case-sensitive on macOS/Linux):
   -`http://localhost/DVWA/`
   -`http://localhost/dvwa/`
2. Files not in `htdocs` directory
3. Apache document root misconfigured

## Security Reminders

<Warning>
1. **Never expose XAMPP/DVWA to the internet**
2. **Use a virtual machine** with NAT networking for isolation
3. **Disable XAMPP services** when not in use
4. **Do not use default credentials** on any production system
5. **DVWA contains real vulnerabilities** - treat it as a compromised system from the start
</Warning>

## Next Steps

After successful installation:

1. Explore the **DVWA Security** settings (low, medium, high, impossible)
2. Start with **SQL Injection** or **XSS** vulnerabilities
3. Review the **Help** documentation for each module
4. Practice ethical hacking techniques in a safe environment

<Note>
For additional help, see the [DVWA Troubleshooting Video](https://youtu.be/C-kig5qrPSA) or review the [official GitHub issues](https://github.com/digininja/DVWA/issues).
</Note>

Build docs developers (and LLMs) love

Get started for freeTalk to us