Ever wanted to practice your web security skills without the risk of breaking the law or damaging real systems? That’s exactly what Damn Vulnerable Web Application (DVWA) was designed for.
DVWA is a deliberately insecure PHP/MySQL web application that serves as a safe playground for security professionals, web developers, students, and educators. Think of it as a controlled environment where you can experiment with real-world vulnerabilities without any legal or ethical concerns.
The beauty of DVWA is that it provides a straightforward interface to practice the most common web vulnerabilities at different difficulty levels. It includes both well-documented vulnerabilities (perfect for learning) and some undocumented ones (great for testing your discovery skills). This encourages you to think like both an attacker and a defender.
I recommend setting up DVWA on Kali Linux since it comes with most of the security tools you’ll need pre-installed. DVWA requires Apache and MySQL, which are already included with Kali, making the setup process much smoother.
wget https://github.com/ethicalhack3r/DVWA/archive/master.zip -O dvwa.zip
unzip dvwa.zip
service apache2 start
service mysql start
mv DVWA-master /var/www/html/dvwa
cd /var/www/html
chmod -R 755 dvwa/
After completing the setup, you’ll need to update the MySQL password in the DVWA
configuration file to create the dvwa database:

You can now access the login page by visiting http://127.0.0.1/dvwa. I
recommend starting with the default credentials (admin/password) and setting
the security level to low under the ‘DVWA Security’ tab. This will give you
access to the most straightforward vulnerabilities to begin learning:

⚠️ Never expose this web application on a public network - it’s designed to be vulnerable!
⚠️ Always reset the security level to impossible when you’re done
practicing.
In the next post, we’ll dive into our first vulnerability exploitation - using brute force techniques to gain access to the application without knowing the password. This will give you hands-on experience with one of the most common attack vectors in web security.
Ready to start your ethical hacking journey? Let me know if you run into any issues during the setup process!