Skip to main content

First-Time Login

When you first access DVWA, you’ll need to log in with the default credentials: Username: admin
Password: password The login page is typically available at http://127.0.0.1/login.php (or http://localhost:4280 if using Docker).
These default credentials can be easily brute forced - this is intentional! Change them after setup if you want to practice with different credentials.

Database Setup

Before you can use DVWA, you must set up the database. This is a one-time process:
  1. After logging in for the first time, DVWA will prompt you to run setup.php
  2. Navigate to the Setup DVWA option in the main menu
  3. Review the setup check to ensure all requirements are met:
    • PHP version (7.3+ recommended)
    • Database connectivity
    • Required PHP modules (mysqli, GD)
    • Folder permissions for uploads
  4. Click the Create / Reset Database button
The setup process will create/reset the database with default data. If the database already exists, all data will be cleared. This is useful for resetting the application to its initial state.

Database Configuration

The default database configuration (in config/config.inc.php) uses these settings: 
$_DVWA['db_server']   = '127.0.0.1';
$_DVWA['db_database'] = 'dvwa';
$_DVWA['db_user']     = 'dvwa';
$_DVWA['db_password'] = 'p@ssw0rd';
$_DVWA['db_port']     = '3306';
```bash

If you receive database connection errors, verify these credentials match your database setup.

## Navigating the Interface

Once logged in, you'll find a straightforward navigation menu on the left side:

### Main Sections

- **Home** - Welcome page with general instructions and warnings
- **Instructions** - Access to README, PDF guide, changelog, and license
- **Setup** - Database setup and system requirements check
- **DVWA Security** - Set the security level for all vulnerabilities
- **Vulnerability Modules** - Individual labs for each vulnerability type

### Vulnerability Modules

DVWA includes multiple vulnerability modules:

- **Brute Force** - Password guessing attacks
- **Command Injection** - OS command execution
- **CSRF** - Cross-Site Request Forgery
- **File Inclusion** - Local and remote file inclusion
- **File Upload** - Unrestricted file upload
- **Insecure CAPTCHA** - CAPTCHA bypass techniques
- **SQL Injection** - Database query manipulation
- **SQL Injection (Blind)** - Boolean and time-based SQL injection
- **Weak Session IDs** - Predictable session identifiers
- **XSS (DOM)** - DOM-based cross-site scripting
- **XSS (Reflected)** - Reflected cross-site scripting
- **XSS (Stored)** - Persistent cross-site scripting
- **CSP Bypass** - Content Security Policy evasion
- **JavaScript** - Client-side JavaScript vulnerabilities
- **Authorization Bypass** - Authentication mechanism flaws
- **Open HTTP Redirect** - URL redirection vulnerabilities
- **Broken Access Control** - Access control testing
- **Cryptography** - Cryptographic implementation flaws
- **API** - RESTful API security testing (requires Composer vendor files)

## Accessing Vulnerability Modules

Each vulnerability module has a consistent structure:

1. **Main Exercise Page** - The vulnerable functionality to test
2. **View Source** - Click to see the source code for the current security level
3. **View Help** - Access hints, objectives, and explanations for each security level

### Viewing Source Code

At the bottom of each vulnerability page, you'll find buttons to:

- **View Source** - Shows the backend PHP code for the current security level
- **View Help** - Displays the help documentation with:
  - About section explaining the vulnerability
  - Objective for the exercise
  - Hints for each security level (Low, Medium, High, Impossible)
  - Spoilers with sample exploit payloads

<Tip>
  Try to solve each level before viewing the source code or help. This provides the most realistic learning experience.
</Tip>

## General Workflow

A typical workflow for learning with DVWA:

1. **Set your security level** (start with Low)
2. **Choose a vulnerability module** to practice
3. **Read the help page** to understand the objective
4. **Attempt the exploit** without viewing source code
5. **View hints** if you get stuck
6. **Check the source code** to understand the vulnerability
7. **Progress to higher security levels** to learn defensive techniques
8. **Reset the database** if you break something

## Resetting the Application

If you need to reset DVWA to its default state:

1. Go to **Setup DVWA** in the menu
2. Click **Create / Reset Database**
3. This will restore:
   - All user accounts with default passwords
   - Default guestbook entries
   - Empty access logs
   - Administrator credentials (`admin` / `password`)

## Next Steps

Now that you're familiar with the interface:

- Learn about [Security Levels](/usage/security-levels) to understand how difficulty scales
- Review [User Accounts](/usage/user-accounts) to see what accounts are available for testing
- Start with low-level vulnerabilities and work your way up

<Warning>
  **Never deploy DVWA on a public-facing server!** It contains intentional vulnerabilities that will compromise your system. Use it only in isolated, controlled environments like VMs with NAT networking.
</Warning>

Build docs developers (and LLMs) love

Get started for freeTalk to us