Damn Vulnerable Web Application: DVWA

Posted on Posted in Tools

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid both students & teachers to learn about web application security in a controlled class room environment.


Damn Vulnerable Web Application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any Internet facing servers, as they will be compromised. It is recommend using a virtual machine (such as VirtualBox or VMware), which is set to NAT networking mode. Inside a guest machine, you can downloading and install XAMPP for the web server and database.


DVWA is available either as a package that will run on your own web server or as a Live CD:

  • DVWA Development Source (Latest) Download ZIP
    git clone https://github.com/RandomStorm/DVWA
  • DVWA v1.9 Source (Stable) – [1.3 MB] Download ZIP – Released 2015-10-05
  • DVWA v1.0.7 LiveCD – [480 MB] Download ISO – Released 2010-09-08

The easiest way to install DVWA is to download and install ‘XAMPP’ if you do not already have a web server setup.

XAMPP is a very easy to install Apache Distribution for Linux, Solaris, Windows and Mac OS X. The package includes the Apache web server, MySQL, PHP, Perl, a FTP server and phpMyAdmin.

XAMPP can be downloaded from:


Simply unzip dvwa.zip, place the unzipped files in your public html folder, then point your browser to:

Damn Vulnerable Web Application: DVWA Damn Vulnerable Web Application: DVWADefault username = admin

Default password = password


Linux Packages

If you are using a Debian based Linux distribution, you will need to install the following packages (or their equivalent):

apt-get -y install apache2 mysql-server php5 php5-mysql php-pear php5-gd

Database Setup

To set up the database, simply click on the Setup button in the main menu, then click on the ‘Create / Reset Database’ button. This will create / reset the database for you with some data in.

If you receive an error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php

The variables are set to the following by default:

$_DVWA['db_user'] = 'root';
$_DVWA['db_password'] = '';
$_DVWA['db_database'] = 'dvwa';


Quelle: CyberPunk

Video – Install

Challenge 1 – Upload a shell

Challenge 2.1 – Command Execution Win

Challenge 2.2 – Command Execution Linux

Challenge 3.1 -SQL Injection Manuell

Challenge 3.2 -SQL Injection SQLMAP

Challange 4.1 – Stored XSS