Skip to main content

Get DVWA Running in 5 Minutes

This guide will get you from zero to practicing web vulnerabilities in under 5 minutes using Docker.
DVWA is intentionally vulnerable. Only run it in isolated environments like virtual machines with NAT networking. Never deploy to production or Internet-facing servers.

Prerequisites

You’ll need Docker and Docker Compose installed: Verify installation: 
docker version
docker compose version
You should see version information for both commands.

Step-by-Step Setup

1

Download DVWA

Clone the repository:
git clone https://github.com/digininja/DVWA.git
cd DVWA
Or download the ZIP file and extract it.
2

Start Docker Containers

Run Docker Compose to start both the web application and database:
docker compose up -d
This command:
  • Downloads the DVWA image (or builds it locally)
  • Starts MariaDB database with pre-configured credentials
  • Exposes DVWA on port 4280
The -d flag runs containers in detached mode (background). Omit it to see logs in real-time.
3

Access DVWA

Open your web browser to:
http://localhost:4280
You should see the DVWA login page.
Why port 4280? This avoids conflicts with other services on port 80 and doesn’t require elevated privileges on Linux.
4

Set Up the Database

Before logging in, you must initialize the database:
  1. On the login page, click Setup DVWA in the main menu
  2. Scroll down and click Create / Reset Database
  3. Wait for the database initialization to complete
  4. You’ll be redirected to the login page
If you see any errors during setup, check the Database Troubleshooting guide.
5

Log In

Use the default credentials:
  • Username: admin
  • Password: password
These credentials are intentionally weak for learning purposes. You can practice brute force attacks against them!
6

Choose Your Security Level

After logging in:
  1. Click DVWA Security in the left sidebar
  2. Select your starting security level
  3. Click Submit
Recommended progression:
  • Start with Low to understand each vulnerability
  • Progress to Medium after successfully exploiting Low
  • Try High for more realistic security controls
  • Study Impossible to learn proper defenses
You can change the security level at any time. Each vulnerability behaves differently at each level.

Your First Vulnerability

Let’s try SQL Injection as your first exercise:
1

Navigate to SQL Injection

Click SQL Injection in the left sidebar under Vulnerabilities.
2

Read the Objective

Click View Help (question mark icon) to see:
  • What the vulnerability is
  • Your objective (extract user passwords)
  • Hints for each security level
3

Try a Basic Injection

At Low security level, try entering this in the User ID field:
1' OR '1'='1
This should display all users in the database, not just user ID 1.
4

View the Source Code

Click View Source to see exactly why this works. Compare the code across different security levels to understand how protections change.

Quick Reference

Default Credentials

FieldValue
URLhttp://localhost:4280
Usernameadmin
Passwordpassword
Database Userdvwa
Database Passwordp@ssw0rd

Docker Commands

# Start DVWA
docker compose up -d

# View logs
docker compose logs

# Stop DVWA
docker compose stop

# Stop and remove containers
docker compose down

# Access DVWA container shell
docker compose exec dvwa bash

# Access MariaDB
docker compose exec db mysql -u dvwa -p'p@ssw0rd' dvwa

Security Levels

LevelDescriptionWhen to Use
LowNo securityLearning vulnerability mechanics
MediumBasic protectionsUnderstanding common defenses
HighStrong protectionsRealistic attack scenarios
ImpossibleProperly securedLearning correct implementations

Next Steps

Explore Vulnerabilities

Start with SQL Injection and work through all 18+ modules

Configuration Guide

Customize DVWA settings and enable optional features

Security Levels

Understand how each level changes vulnerability behavior

Troubleshooting

Solve common issues and errors

Alternative Installation Methods

If Docker doesn’t work for your environment:

Getting Help

If you encounter issues:
  1. Check Common Issues - most problems are documented
  2. Review Database Errors if database setup fails
  3. Check GitHub Issues for similar problems
  4. Ensure you’re running the latest code from master branch
When asking for help, include your OS, PHP version, database version, and the last 5 lines from Apache error logs (/var/log/apache2/error.log).

Build docs developers (and LLMs) love

Get started for freeTalk to us