Damn Vulnerable Web App (DVWA) v1.0.6 released

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Damn Vulnerable Web App (DVWA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

PNG - 5.3 kb

Version v1.0.6

  • Fixed a bug where the logo would not show on first time use. 03/09/2009 (ethicalhack3r)
  • Removed ’current password’ input box for low+med CSRF security. 03/09/2009 (ethicalhack3r)
  • Added an article which was written for OWASP Turkey. 03/10/2009 (ethicalhack3r)
  • Added more toubleshooting information. 02/10/2009 (ethicalhack3r)
  • Stored XSS high now sanitises output. 02/10/2009 (ethicalhack3r)
  • Fixed a ’bug’ in XSS stored low which made it not vulnerable. 02/10/2009 (ethicalhack3r)
  • Rewritten command execution high to use a whitelist. 30/09/09 (ethicalhack3r)
  • Fixed a command execution vulnerability in exec high. 17/09/09 (ethicalhack3r)
  • Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (ethicalhack3r)
  • Added the upload directory to the upload help. 17/09/09 (ethicalhack3r)


  • SQL Injection
  • XSS Stored/Reflected
  • LFI (Local File Inclusion)
  • RFI (Remote File Inclusion)
  • Command Execution
  • Upload Script
  • Login Brute Force
  • Full Path Disclosure
  • And much more...


  • Installation video: YouTube
    Default username = admin
    Default password = password

Database Setup
To set up the database, simply click on the Setup button in the main menu, then click on the ’Create / Reset Database’ button. This will create / reset the database for you with some data in.

If you receive an error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php

$_DVWA[ 'db_user' ] = 'your_database_username';
$_DVWA[ 'db_password' ] = 'your_database_password';
$_DVWA[ 'db_database' ] = 'your_database_name';

Everyone is welcome to contribute and help make DVWA as successful as it can be. With out the DVWA community DVWA would not be what it is today.

More information, Official Web Site: DVWA

Post scriptum


Related Articles