Set up DVWA
The Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web app built to be hacked. It even has adjustable security levels (Low, Medium, High, Impossible) so you can ramp up the challenge. We'll cover the fast Docker method and a manual install — choose one.
DVWA is intentionally insecure. Run it only on your isolated host-only lab network — never expose it to the internet.
Where to run DVWA
You have two sensible options:
- On Kali itself, via Docker — fastest, fewest moving parts. The app listens on Kali's own address.
- On a separate target VM (e.g. a minimal Debian guest) — more realistic, mirrors attacking a remote host.
For your first run, Docker on Kali is ideal.
Option A — Docker (recommended)
-
Install Docker on Kali
With internet temporarily enabled (see guide 2.2):
kali@kali$ sudo apt update $ sudo apt install -y docker.io $ sudo systemctl enable --now docker
-
Pull and run DVWA
The community image starts a complete DVWA with its database in one command:
kali@kali$ sudo docker run --rm -it -p 80:80 vulnerables/web-dvwaNow disable internet again — Docker keeps the image locally.
-
Open DVWA
In Kali's browser go to
http://127.0.0.1. You'll see the DVWA login.
Figure 1. The DVWA login page.
Option B — Manual install on a target VM
To practise attacking a remote host, install DVWA on a separate Debian/Ubuntu VM with a LAMP stack:
$ sudo apt update $ sudo apt install -y apache2 mariadb-server php php-mysqli php-gd git $ cd /var/www/html $ sudo git clone https://github.com/digininja/DVWA.git dvwa $ sudo cp dvwa/config/config.inc.php.dist dvwa/config/config.inc.php
Create the database and user, set them in config.inc.php, then browse to http://<target-ip>/dvwa/setup.php and click Create / Reset Database.
First login & database setup
-
Log in
Default credentials are
admin/password. -
Create the database
On the Setup / Reset DB page, click Create / Reset Database. DVWA initialises its tables and returns you to the login.
Figure 2. Initialising the DVWA database. -
Set the security level
Go to DVWA Security and start at Low. Raise it as your skills grow.
Figure 3. Setting the DVWA security level to Low.
Confirm Kali can reach it
If DVWA runs on a separate VM, confirm reachability from Kali (replace with your target's IP):
$ curl -I http://192.168.56.20/dvwa/login.php HTTP/1.1 302 Found
Checkpoint: DVWA loads, you're logged in, the database is created, and security is set to Low. You're ready to practise web attacks — try the SQL Injection and XSS modules first.
Pair this with the Methodology section: treat DVWA as a real engagement — recon the app, find an input, exploit it, and write up what you did.