Damn Vulnerable Web Application
DVWA is a PHP/MySQL web application intentionally designed to be highly vulnerable for security testing and training. It provides a legal environment to practice common web vulnerabilities at various difficulty levels.
Description
Damn Vulnerable Web Application (DVWA) is a package containing a PHP/MySQL web application that is deliberately vulnerable. Its main goal is to aid security professionals in testing their skills and tools in a legal environment, help web developers understand securing web applications, and assist students and teachers in learning web application security in a controlled classroom setting.
The aim of DVWA is to practice some of the most common web vulnerabilities with various levels of difficulty through a simple, straightforward interface. It includes both documented and undocumented vulnerabilities intentionally, encouraging users to discover as many issues as possible.
WARNING: Do not upload it to your hosting provider’s public html folder or any Internet-facing servers, as they will be compromised.
How It Works
DVWA operates as a PHP/MySQL web application served via Apache2 or Nginx with PHP8.4 and MariaDB. It simulates common web vulnerabilities like SQL injection, XSS, and others at multiple security levels (low, medium, high, impossible), allowing controlled testing of exploitation techniques and security tools through a browser-based interface.
Installation
sudo apt install dvwaExamples
sudo apt install dvwadvwa-startdvwa-stopsudo systemctl start apache2sudo systemctl start mariadbsudo systemctl start php8.4-fpm