explaingit

digininja/dvwa

13,062PHPAudience · ops devopsComplexity · 2/5LicenseSetup · easy

TLDR

DVWA (Damn Vulnerable Web Application) is an intentionally insecure PHP app for practicing common web attack techniques legally and safely on a private machine, never on a public server.

Mindmap

mindmap
  root((DVWA))
    What It Is
      Intentionally insecure app
      Security practice tool
    Vulnerabilities
      SQL injection
      XSS
      Hidden extras
    Difficulty Levels
      Beginner guided mode
      Advanced no hints
    Setup
      XAMPP on Windows Mac
      Docker containers
      Linux install script
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Practice finding and exploiting common web vulnerabilities like SQL injection and XSS in a safe, legal environment.

USE CASE 2

Study web security at adjustable difficulty levels, from beginner guided mode to realistic advanced mode with no hints.

USE CASE 3

Use DVWA as a teaching tool in a security course or workshop running on a private network.

Tech stack

PHPMariaDBDockerXAMPP

Getting it running

Difficulty · easy Time to first run · 30min

Must only run on a private, offline machine, never on a public or internet-connected server.

Free to use and modify, but any version you distribute must also be open source under the GPL.

In plain English

DVWA (Damn Vulnerable Web Application) is a PHP web application intentionally built with security holes. Security professionals, students, and web developers use it to practice finding and exploiting common vulnerabilities in a safe, legal environment. It must only run on a private, offline machine or a virtual machine, never on a public server or shared hosting. The application covers common web attacks at multiple difficulty levels, from beginner-friendly guided modes to harder, more realistic ones with no hints. There are also undocumented vulnerabilities hidden inside on purpose, giving advanced users extra things to find beyond the named challenges. Getting it running requires a web server with PHP and a MariaDB database. On Windows or Mac, XAMPP handles that setup quickly. On Debian-based Linux systems like Kali or Ubuntu, a community-maintained automated install script can handle the whole process. Docker is also supported, letting you run the full environment in containers with a couple of commands. The project is open source under the GNU General Public License. It is available in more than a dozen languages, including Chinese, Spanish, French, Russian, Korean, and Vietnamese, with community-contributed translations accepted via pull requests to the main repository. One firm warning runs through the README: never put DVWA on a live, internet-connected server. The application is designed to be broken into, and the creators take no responsibility for any server that gets compromised through it. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
How do I run DVWA using Docker on my local machine and access it in a browser to start SQL injection practice?
Prompt 2
Walk me through exploiting the SQL injection vulnerability in DVWA at medium difficulty, without any hints from the app.
Prompt 3
How do I switch DVWA to the highest security level to search for the undocumented hidden vulnerabilities in the application?
Open on GitHub → Explain another repo

← digininja on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.