Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid both students & teachers to learn about web application security in a controlled class room environment.
Damn Vulnerable Web Application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any Internet facing servers, as they will be compromised. It is recommend using a virtual machine (such as VirtualBox or VMware), which is set to NAT networking mode. Inside a guest machine, you can downloading and install XAMPP for the web server and database.
DVWA is available either as a package that will run on your own web server or as a Live CD:
- DVWA Development Source (Latest) Download ZIP
git clone https://github.com/RandomStorm/DVWA
- DVWA v1.9 Source (Stable) – [1.3 MB] Download ZIP – Released 2015-10-05
- DVWA v1.0.7 LiveCD – [480 MB] Download ISO – Released 2010-09-08
The easiest way to install DVWA is to download and install ‘XAMPP’ if you do not already have a web server setup.
XAMPP is a very easy to install Apache Distribution for Linux, Solaris, Windows and Mac OS X. The package includes the Apache web server, MySQL, PHP, Perl, a FTP server and phpMyAdmin.
XAMPP can be downloaded from:
Simply unzip dvwa.zip, place the unzipped files in your public html folder, then point your browser to:
Default username =
Default password =
If you are using a Debian based Linux distribution, you will need to install the following packages (or their equivalent):
apt-get -y install apache2 mysql-server php5 php5-mysql php-pear php5-gd
To set up the database, simply click on the Setup button in the main menu, then click on the ‘Create / Reset Database’ button. This will create / reset the database for you with some data in.
If you receive an error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php
The variables are set to the following by default:
$_DVWA['db_user'] = 'root'; $_DVWA['db_password'] = ''; $_DVWA['db_database'] = 'dvwa';
Video – Install
Challenge 1 – Upload a shell
Challenge 2.1 – Command Execution Win
Challenge 2.2 – Command Execution Linux
Challenge 3.1 -SQL Injection Manuell
Challenge 3.2 -SQL Injection SQLMAP
Challange 4.1 – Stored XSS