Web Application Analysiswebvulnerabilitytestingphpmysqlsecuritytraining

Damn Vulnerable Web Application

DVWA is a PHP/MySQL web application intentionally designed to be highly vulnerable for security testing and training. It provides a legal environment to practice common web vulnerabilities at various difficulty levels.

Description

Damn Vulnerable Web Application (DVWA) is a package containing a PHP/MySQL web application that is deliberately vulnerable. Its main goal is to aid security professionals in testing their skills and tools in a legal environment, help web developers understand securing web applications, and assist students and teachers in learning web application security in a controlled classroom setting.

The aim of DVWA is to practice some of the most common web vulnerabilities with various levels of difficulty through a simple, straightforward interface. It includes both documented and undocumented vulnerabilities intentionally, encouraging users to discover as many issues as possible.

WARNING: Do not upload it to your hosting provider’s public html folder or any Internet-facing servers, as they will be compromised.

How It Works

DVWA operates as a PHP/MySQL web application served via Apache2 or Nginx with PHP8.4 and MariaDB. It simulates common web vulnerabilities like SQL injection, XSS, and others at multiple security levels (low, medium, high, impossible), allowing controlled testing of exploitation techniques and security tools through a browser-based interface.

Installation

bash
sudo apt install dvwa

Examples

Installs the DVWA package including all dependencies for the vulnerable web application.
sudo apt install dvwa
Starts the DVWA web server (Apache2/Nginx, PHP-FPM, MariaDB) to access the application.
dvwa-start
Stops the DVWA web server services after testing sessions.
dvwa-stop
Manually starts Apache2 web server dependency for DVWA if needed.
sudo systemctl start apache2
Manually starts MariaDB database server required by DVWA.
sudo systemctl start mariadb
Starts PHP8.4 FPM service for DVWA web application processing.
sudo systemctl start php8.4-fpm
Updated 2026-04-16kali.org ↗