What is DVWA?
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is intentionally vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications, and to aid both students and teachers to learn about web application security in a controlled classroom environment.Purpose
The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface.There are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
Who Should Use DVWA?
DVWA is designed for:Security Professionals
- Practice penetration testing techniques
- Test security tools in a safe environment
- Develop proof-of-concept exploits
- Sharpen vulnerability assessment skills
Web Developers
- Learn how vulnerabilities work
- Understand secure coding practices
- See the difference between vulnerable and secure code
- Practice implementing security controls
Students & Teachers
- Hands-on security education
- Demonstrate real vulnerabilities
- Understand OWASP Top 10 weaknesses
- Learn both attack and defense
Key Features
18+ Vulnerability Modules
Practice SQL injection, XSS, CSRF, command injection, file upload, and more.
Four Security Levels
Progress from Low (vulnerable) through Medium and High to Impossible (secure).
View Source Code
See exactly how each vulnerability works at every security level.
Built-in Help
Each module includes documentation, objectives, and hints.
Security Levels
DVWA offers four security levels for each vulnerability:- Low: Minimal or no security controls. Perfect for understanding the vulnerability.
- Medium: Basic security measures that can be bypassed with some effort.
- High: More robust security with exploitable weaknesses.
- Impossible: Properly secured implementations showing best practices.
Available Vulnerabilities
DVWA includes training modules for:Injection Attacks
- SQL Injection
- Blind SQL Injection
- Command Injection
- File Inclusion (LFI/RFI)
Cross-Site Scripting
- Reflected XSS
- Stored XSS
- DOM-based XSS
Authentication & Access Control
- Brute Force
- Authorization Bypass
- Weak Session IDs
- Broken Access Control
Web Application Attacks
- Cross-Site Request Forgery (CSRF)
- File Upload
- Insecure CAPTCHA
- Open HTTP Redirect
- JavaScript Attacks
Security Features
- Content Security Policy (CSP) Bypass
- Cryptography
- API Security
CRITICAL Security Warning
Disclaimer
We do not take responsibility for the way in which anyone uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on live web servers. If your web server is compromised via an installation of DVWA, it is not our responsibility—it is the responsibility of the person/s who uploaded and installed it.License
Damn Vulnerable Web Application (DVWA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. DVWA is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.Next Steps
Ready to get started? Check out our Quick Start Guide to get DVWA up and running in minutes.Quick Start
Get DVWA running with Docker in under 5 minutes
Installation Guide
Detailed installation options for all platforms
Configuration
Configure DVWA for your environment
Explore Vulnerabilities
Start learning with SQL injection