Learning Hub / Target Machines / Web Application Targets / DVWA

Set up DVWA

Guide 3.1.1 Difficulty: Beginner ~20 minutes

The Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web app built to be hacked. It even has adjustable security levels (Low, Medium, High, Impossible) so you can ramp up the challenge. We'll cover the fast Docker method and a manual install — choose one.

DVWA is intentionally insecure. Run it only on your isolated host-only lab network — never expose it to the internet.

Where to run DVWA

You have two sensible options:

  • On Kali itself, via Docker — fastest, fewest moving parts. The app listens on Kali's own address.
  • On a separate target VM (e.g. a minimal Debian guest) — more realistic, mirrors attacking a remote host.

For your first run, Docker on Kali is ideal.

Option A — Docker (recommended)

  1. Install Docker on Kali

    With internet temporarily enabled (see guide 2.2):

    kali@kali
    $ sudo apt update
    $ sudo apt install -y docker.io
    $ sudo systemctl enable --now docker
  2. Pull and run DVWA

    The community image starts a complete DVWA with its database in one command:

    kali@kali
    $ sudo docker run --rm -it -p 80:80 vulnerables/web-dvwa

    Now disable internet again — Docker keeps the image locally.

  3. Open DVWA

    In Kali's browser go to http://127.0.0.1. You'll see the DVWA login.

    The DVWA login page open in a browser inside Kali Linux
    Figure 1. The DVWA login page.

Option B — Manual install on a target VM

To practise attacking a remote host, install DVWA on a separate Debian/Ubuntu VM with a LAMP stack:

target VM
$ sudo apt update
$ sudo apt install -y apache2 mariadb-server php php-mysqli php-gd git
$ cd /var/www/html
$ sudo git clone https://github.com/digininja/DVWA.git dvwa
$ sudo cp dvwa/config/config.inc.php.dist dvwa/config/config.inc.php

Create the database and user, set them in config.inc.php, then browse to http://<target-ip>/dvwa/setup.php and click Create / Reset Database.

First login & database setup

  1. Log in

    Default credentials are admin / password.

  2. Create the database

    On the Setup / Reset DB page, click Create / Reset Database. DVWA initialises its tables and returns you to the login.

    The DVWA database setup page with the Create / Reset Database button
    Figure 2. Initialising the DVWA database.
  3. Set the security level

    Go to DVWA Security and start at Low. Raise it as your skills grow.

    The DVWA security level page set to Low
    Figure 3. Setting the DVWA security level to Low.

Confirm Kali can reach it

If DVWA runs on a separate VM, confirm reachability from Kali (replace with your target's IP):

kali@kali
$ curl -I http://192.168.56.20/dvwa/login.php
HTTP/1.1 302 Found

Checkpoint: DVWA loads, you're logged in, the database is created, and security is set to Low. You're ready to practise web attacks — try the SQL Injection and XSS modules first.

Pair this with the Methodology section: treat DVWA as a real engagement — recon the app, find an input, exploit it, and write up what you did.