git404hub

what is dvwa fr?

digininja/dvwa — explained in plain English

Analysis updated 2026-06-24

13,062PHPAudience · ops devopsComplexity · 2/5LicenseSetup · easy

tl;dr

DVWA (Damn Vulnerable Web Application) is an intentionally insecure PHP app for practicing common web attack techniques legally and safely on a private machine, never on a public server.

vibe map

mindmap
  root((DVWA))
    What It Is
      Intentionally insecure app
      Security practice tool
    Vulnerabilities
      SQL injection
      XSS
      Hidden extras
    Difficulty Levels
      Beginner guided mode
      Advanced no hints
    Setup
      XAMPP on Windows Mac
      Docker containers
      Linux install script

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Practice finding and exploiting common web vulnerabilities like SQL injection and XSS in a safe, legal environment.

VIBE 2

Study web security at adjustable difficulty levels, from beginner guided mode to realistic advanced mode with no hints.

VIBE 3

Use DVWA as a teaching tool in a security course or workshop running on a private network.

what's the stack?

PHPMariaDBDockerXAMPP

how it stacks up fr

digininja/dvwaqloapps/qloappsroots/sage
Stars13,06213,20113,211
LanguagePHPPHPPHP
Setup difficultyeasymoderatemoderate
Complexity2/53/53/5
Audienceops devopspm founderdeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · easy time til it works · 30min

Must only run on a private, offline machine, never on a public or internet-connected server.

Free to use and modify, but any version you distribute must also be open source under the GPL.

in plain english

DVWA (Damn Vulnerable Web Application) is a PHP web application intentionally built with security holes. Security professionals, students, and web developers use it to practice finding and exploiting common vulnerabilities in a safe, legal environment. It must only run on a private, offline machine or a virtual machine, never on a public server or shared hosting. The application covers common web attacks at multiple difficulty levels, from beginner-friendly guided modes to harder, more realistic ones with no hints. There are also undocumented vulnerabilities hidden inside on purpose, giving advanced users extra things to find beyond the named challenges. Getting it running requires a web server with PHP and a MariaDB database. On Windows or Mac, XAMPP handles that setup quickly. On Debian-based Linux systems like Kali or Ubuntu, a community-maintained automated install script can handle the whole process. Docker is also supported, letting you run the full environment in containers with a couple of commands. The project is open source under the GNU General Public License. It is available in more than a dozen languages, including Chinese, Spanish, French, Russian, Korean, and Vietnamese, with community-contributed translations accepted via pull requests to the main repository. One firm warning runs through the README: never put DVWA on a live, internet-connected server. The application is designed to be broken into, and the creators take no responsibility for any server that gets compromised through it. The full README is longer than what was shown.

prompts (copy fr)

prompt 1
How do I run DVWA using Docker on my local machine and access it in a browser to start SQL injection practice?
prompt 2
Walk me through exploiting the SQL injection vulnerability in DVWA at medium difficulty, without any hints from the app.
prompt 3
How do I switch DVWA to the highest security level to search for the undocumented hidden vulnerabilities in the application?

Frequently asked questions

what is dvwa fr?

DVWA (Damn Vulnerable Web Application) is an intentionally insecure PHP app for practicing common web attack techniques legally and safely on a private machine, never on a public server.

What language is dvwa written in?

Mainly PHP. The stack also includes PHP, MariaDB, Docker.

What license does dvwa use?

Free to use and modify, but any version you distribute must also be open source under the GPL.

How hard is dvwa to set up?

Setup difficulty is rated easy, with roughly 30min to a first successful run.

Who is dvwa for?

Mainly ops devops.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.