Damn Vulnerable Web Application (DVWA) is a purposely insecure PHP/MySQL web application created for security professionals, web developers, students, and teachers to learn about web application security in a controlled environment. The application is intended to help security professionals test their skills and tools in a legal setting and help web developers understand the process of securing web applications. DVWA is designed to provide a simple and straightforward interface to practice some of the most common web vulnerabilities at various difficulty levels. It contains both documented and undocumented vulnerabilities, which encourages users to identify as many issues as possible.
To get started with DVWA, download the source code from GitHub and set up the environment on Kali Linux. DVWA requires Apache and MySQL, which are already installed on Kali Linux.
Download and unzip DVWA:
wget https://github.com/ethicalhack3r/DVWA/archive/master.zip -O dvwa.zip unzip dvwa.zip
Start Apache and MySQL:
service apache2 start service mysql start
Move DVWA to /var/www/html and setup permissions:
mv DVWA-master /var/www/html/dvwa cd /var/www/html chmod -R 755 dvwa/
After completing the setup, update your MySQL password in the DVWA configuration file to create the
You can then access the login page by visiting
Make sure to set the security level of DVWA to
low under the ‘DVWA Security’ tab to begin exploring the low-hanging fruits of web vulnerabilities:
Note that you should never expose this web application in a non-private network and always reset the security level to