DVWA Lab Setup 2026 — Complete Beginner Guide (Install & Hack in 15 Minutes)

Mr Elite 14 min read
DVWA Lab Setup 2026 — Complete Beginner Guide (Install & Hack in 15 Minutes)

🧪 DVWA Lab Series — #1 of 30
Foundation: Dvwa Lab Setup 2026 & Configuration
Next: Brute Force Lab →

⚠️ Isolated Lab Only: DVWA is intentionally vulnerable. Run it exclusively on localhost, a VM with a host-only network, or an isolated offline machine. Never expose DVWA to the internet or a shared network — its vulnerabilities are real and exploitable by others. All exercises in this 30-lab series target your local instance only. Lets start with DVWA Lab Setup 2026 tutorial.

Every ethical hacker needs a personal lab where they can attack freely, fail without consequences, and run the same vulnerability type ten times until it becomes muscle memory. DVWA (Damn Vulnerable Web Application) is the standard starting point that professionals worldwide have relied on for over a decade — and this is the definitive 2026 setup guide that gets you from zero to fully configured in under 15 minutes using Docker, with no manual Apache or PHP configuration required.

📋 What This Guide Covers

  1. What Is DVWA and What the 30-Lab Series Covers
  2. Method 1 — Docker Install (Recommended, 3 Commands)
  3. Method 2 — Manual Install on Kali Linux (Apache + MySQL)
  4. Post-Install Configuration and the Security Level System
  5. Your First DVWA Attack — Exploring the Lab Environment
  6. Resetting DVWA and Troubleshooting Common Issues

DVWA has been the go-to practice target for web application security since 2008. Unlike online labs that go offline or require subscriptions, a local DVWA installation is always available, infinitely resettable, and gives you a genuine web application to probe — not a simulated quiz. This guide covers the 2026 setup using Docker for a clean, repeatable install, plus the traditional Apache/MySQL method if you prefer a persistent installation. Either setup works identically with all 30 labs in this series.

What Is DVWA and What the 30-Lab Series Covers

DVWA is a PHP/MySQL web application built to contain every major web vulnerability class in a controlled, sandboxed environment. What makes it uniquely valuable for learning is the source code viewer — at every security level you can click “View Source” to see exactly what the vulnerable code looks like, then switch to Impossible security to see the correct secure implementation side by side. This compare-and-contrast approach builds security intuition faster than any other method.

DVWA 30-LAB SERIES — Complete Module Coverage
Lab 1 — Setup (this guide)
Lab 2 — Brute Force
Lab 3 — Command Injection
Lab 4 — CSRF
Lab 5 — File Inclusion (LFI)
Lab 6 — File Upload
Lab 7 — SQL Injection
Lab 8 — SQL Injection Blind
Lab 9 — XSS Reflected
Lab 10 — XSS Stored
Lab 11 — XSS DOM
Labs 12–30 — Advanced

securityelites.com
http://127.0.0.1/login.php
Damn Vulnerable Web App
Version 1.10 — Lab Environment

admin

••••••••
Login
Default: admin / password

📸 DVWA login page running on localhost at 127.0.0.1 — accessible immediately after Docker setup. Default credentials are intentionally weak: admin / password.

Method 1 — Docker Install (Recommended, 3 Commands)

Docker is the cleanest way to run DVWA in 2026. No manual PHP configuration, no Apache setup, no database user creation — the entire stack runs inside a pre-configured container. You can start it, stop it, and completely reset it with single commands, making it ideal for a practice lab you use repeatedly.

DOCKER INSTALLATION — COMPLETE SETUP
# STEP 1 — Install Docker on Kali (skip if already installed)
sudo apt update && sudo apt install -y docker.io
sudo systemctl start docker && sudo systemctl enable docker
sudo usermod -aG docker $USER && newgrp docker

# STEP 2 — Pull and start DVWA (one command)
docker run -d –name dvwa -p 80:80 vulnerables/web-dvwa
# First run: downloads ~200MB image. Later starts are instant.
# Port conflict? Use: -p 8080:80 and access via http://127.0.0.1:8080

# STEP 3 — Verify running
docker ps | grep dvwa
# Expected: dvwa Up X seconds 0.0.0.0:80->80/tcp

# Open in browser
firefox http://127.0.0.1 &

# ─── DAILY WORKFLOW ───
# Start DVWA:
docker start dvwa
# Stop DVWA:
docker stop dvwa
# Full reset (clean slate):
docker rm -f dvwa && docker run -d –name dvwa -p 80:80 vulnerables/web-dvwa

🛠️ EXERCISE 1 — BROWSER ONLY (5 MIN)
Complete the DVWA first-time setup and explore every module

⏱️ Time: 5 minutes · Target: http://127.0.0.1 (your local DVWA)

Step 1: Open http://127.0.0.1 in Firefox
Step 2: Scroll to bottom of setup page → click “Create / Reset Database”
Step 3: You are redirected to /login.php
Step 4: Login: username=admin, password=password
Step 5: Explore the left menu — confirm all modules are listed:
Brute Force, Command Injection, CSRF, File Inclusion,
File Upload, SQL Injection (×2), XSS (×3), DVWA Security
Step 6: Click “DVWA Security” → set to “Low” → Submit
Step 7: Click “View Source” on any module page to see vulnerable code
✅ What you just learned: DVWA is fully operational. The security level slider (Low → Medium → High → Impossible) is the core learning mechanism — always start at Low to understand the attack, progress to Impossible to see the correct secure implementation. All 29 remaining labs in this series begin with Low security.

📸 Screenshot DVWA menu with all modules visible and share in #dvwa-lab-series on Discord.

🧠 QUICK CHECK

What does the “Impossible” security level in DVWA show you?



Method 2 — Manual Install on Kali Linux (Apache + MySQL)

If you prefer a persistent installation that survives reboots without a running container, use this method to install DVWA directly on Kali’s Apache and MariaDB stack. This also lets you modify the PHP source files directly, which is useful for more advanced lab exercises.

MANUAL INSTALL — APACHE + MARIADB + PHP
# STEP 1 — Install the LAMP stack
sudo apt update && sudo apt install -y apache2 mariadb-server php php-mysqli php-gd libapache2-mod-php git
sudo systemctl start apache2 mariadb && sudo systemctl enable apache2 mariadb

# STEP 2 — Clone DVWA into web root
sudo git clone https://github.com/digininja/DVWA.git /var/www/html/dvwa
sudo cp /var/www/html/dvwa/config/config.inc.php.dist /var/www/html/dvwa/config/config.inc.php

# STEP 3 — Create DVWA database and user
sudo mysql -u root -e “CREATE DATABASE dvwa; CREATE USER ‘dvwa’@’localhost’ IDENTIFIED BY ‘p@ssw0rd’; GRANT ALL ON dvwa.* TO ‘dvwa’@’localhost’; FLUSH PRIVILEGES;”

# STEP 4 — Update config with database credentials
sudo sed -i “s/\$_DVWA\[ ‘db_user’ \] = ‘.*’;/\$_DVWA[ ‘db_user’ ] = ‘dvwa’;/” /var/www/html/dvwa/config/config.inc.php
sudo sed -i “s/\$_DVWA\[ ‘db_password’ \] = ‘.*’;/\$_DVWA[ ‘db_password’ ] = ‘p@ssw0rd’;/” /var/www/html/dvwa/config/config.inc.php

# STEP 5 — Fix PHP settings and permissions
sudo sed -i ‘s/allow_url_include = Off/allow_url_include = On/’ /etc/php/*/apache2/php.ini
sudo chown -R www-data:www-data /var/www/html/dvwa && sudo chmod -R 755 /var/www/html/dvwa
sudo systemctl restart apache2

# Access at: http://127.0.0.1/dvwa/
firefox http://127.0.0.1/dvwa/ &

⚠️ allow_url_include Warning: Enabling allow_url_include in PHP is required for DVWA’s File Inclusion module but is a security risk on any internet-facing server. This is safe on a localhost lab machine, but never do this on a production or internet-connected system.

Post-Install Configuration and the Security Level System

The security level system is the heart of how DVWA teaches web security. Every vulnerability module has four versions of the same page, each with progressively stronger (and ultimately correct) defences. Progressing through all four levels on each module is the fastest way to build both offensive and defensive intuition simultaneously.

securityelites.com
DVWA Security Level System — Your Learning Path
🔴 LOW — Start Here
No input filtering. All vulnerabilities exploitable directly with basic payloads. Learn the attack technique without friction. All 30 labs cover this level first.

🟡 MEDIUM — Common Mistakes
Basic blacklist filtering applied. Requires bypass techniques. Represents a developer who tried to add security but used the wrong approach — blacklists instead of whitelists.

🔵 HIGH — Better But Flawed
Stronger filtering. Represents a developer who researched security but made subtle mistakes. Requires more advanced bypass payloads and techniques.

🟢 IMPOSSIBLE — The Goal
Correct secure implementation using parameterised queries, CSP, token validation, strict whitelists. Study this to understand what production code should actually look like.

📸 DVWA’s four security levels — the learning progression from raw vulnerability (Low) to correct implementation (Impossible) builds both attack and defence skills in parallel

Your First DVWA Attack — Exploring the Lab Environment

With DVWA running at Low security, you are ready to run your first attack. The Brute Force module is the best starting point — it requires no special tools, works directly from a browser or Burp Suite, and demonstrates instantly what an unprotected login form looks like from an attacker’s perspective.

⚡ EXERCISE 2 — KALI TERMINAL (DVWA LOCALHOST)
Your first credential brute force against DVWA using Hydra

⏱️ Time: 10 minutes · Target: DVWA Brute Force module on 127.0.0.1 (YOUR LAB ONLY)

Navigate to DVWA → Brute Force. Your goal is to find the correct password for the “admin” account using Hydra against this locally running lab application.

HYDRA AGAINST DVWA BRUTE FORCE MODULE
# Get your PHPSESSID first:
# Log into DVWA → F12 → Application → Cookies → copy PHPSESSID value

# Run Hydra (replace PHPSESSID with your actual session cookie)
hydra -l admin \
-P /usr/share/wordlists/rockyou.txt \
127.0.0.1 \
http-get-form \
“/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: PHPSESSID=YOUR_PHPSESSID; security=low”

# Or use a small manual wordlist to test faster:
echo -e “password\n123456\nadmin\nletmein\nqwerty” > /tmp/dvwa-test.txt
hydra -l admin -P /tmp/dvwa-test.txt 127.0.0.1 http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: PHPSESSID=YOUR_PHPSESSID; security=low”

# Expected: [80][http-get-form] host: 127.0.0.1 login: admin password: password

The password is “password” — Hydra finds it in seconds. After Hydra succeeds, switch DVWA to Medium security and notice what changes: a simple sleep(2) delay is added between attempts. This is the developer’s attempt at rate limiting — and it is trivially bypassed by reducing Hydra’s thread count.

✅ What you just learned: A login form with no rate limiting, no lockout, and no CAPTCHA is trivially vulnerable to credential brute force. This is not theoretical — this pattern exists on real production systems every day. The next lab (DVWA Brute Force at Medium and High) shows how each attempted defence fails and what Impossible-level protection actually looks like.

📸 Screenshot your Hydra success output (password: password found) and share in #dvwa-lab-series on Discord.

Resetting DVWA and Troubleshooting Common Issues

One of DVWA’s greatest advantages for learning is the ability to reset the entire application between sessions — restoring all data to a clean state so you can practise the same vulnerability fresh. Here is how to reset and how to fix the most common setup problems.

RESET AND TROUBLESHOOT DVWA
# ─── RESET OPTIONS ───
# Browser reset (easiest):
Navigate to http://127.0.0.1/dvwa/setup.php → click “Create / Reset Database”

# Docker full reset (clean container):
docker rm -f dvwa && docker run -d –name dvwa -p 80:80 vulnerables/web-dvwa

# Manual install reset:
sudo mysql -u root -e “DROP DATABASE dvwa; CREATE DATABASE dvwa; GRANT ALL ON dvwa.* TO ‘dvwa’@’localhost’;”
Then visit /dvwa/setup.php and click “Create / Reset Database”

# ─── COMMON ISSUES ───

# Issue: “Could not connect to the database” on setup page
# Fix: check config.inc.php credentials match your MySQL user
sudo cat /var/www/html/dvwa/config/config.inc.php | grep db_

# Issue: Port 80 already in use
sudo lsof -i :80
# Fix: stop the conflicting service, or use -p 8080:80 in Docker command

# Issue: “allow_url_include is disabled” warning
sudo sed -i ‘s/allow_url_include = Off/allow_url_include = On/’ /etc/php/*/apache2/php.ini
sudo systemctl restart apache2

# Issue: Docker not starting
sudo systemctl start docker && docker ps
docker logs dvwa # shows container error output

🔥 EXERCISE 3 — KALI TERMINAL (FULL VERIFICATION)
Verify DVWA is fully functional and all modules are exploitable at Low security

⏱️ Time: 10 minutes · Target: Your DVWA localhost instance

Run this verification sequence to confirm your lab is ready for the entire 30-lab series. Test that every module loads and the security level change persists.

DVWA LAB READINESS CHECK
# Confirm DVWA is accessible
curl -s http://127.0.0.1/dvwa/ | grep -i “damn vulnerable”
# Should return text containing “Damn Vulnerable Web App”

# Test login and get session cookie
curl -s -c /tmp/dvwa-cookies.txt -d “username=admin&password=password&Login=Login” http://127.0.0.1/dvwa/login.php -L | grep -i “Welcome”

# Confirm security level is Low
curl -s -b /tmp/dvwa-cookies.txt “http://127.0.0.1/dvwa/security.php” | grep -i “current security level”

# Check all key modules are accessible
for MODULE in brute sqli xss_r xss_s fi fi_1 upload csrf; do
STATUS=$(curl -o /dev/null -s -w “%{http_code}” -b /tmp/dvwa-cookies.txt “http://127.0.0.1/dvwa/vulnerabilities/$MODULE/”)
echo “$MODULE: $STATUS”
done
# All should return 200. Any 302 means session expired — re-login.

✅ What you just learned: Automated verification of your lab setup ensures you never start a practice session only to find DVWA is misconfigured. Running this check before each lab session — especially after system updates — prevents wasted time debugging the environment instead of practising the vulnerability.

📸 Screenshot all module status codes showing 200 and share in #dvwa-lab-series on Discord. Tag #dvwasetup2026

📋 DVWA Lab Commands — Reference Card

docker run -d –name dvwa -p 80:80 vulnerables/web-dvwaStart DVWA via Docker (recommended method)
docker start dvwaStart existing DVWA container after first setup
docker stop dvwaStop DVWA container when not in use
docker rm -f dvwa && docker run -d –name dvwa -p 80:80 vulnerables/web-dvwaFull reset — destroys and recreates clean container
http://127.0.0.1/dvwa/setup.phpDVWA setup page — click “Create / Reset Database” here
admin / passwordDefault DVWA login credentials (lab use only)

🏆 Lab 1 Complete — DVWA Lab Setup 2026 Ready

Your lab is ready for all 29 remaining DVWA labs in this series


❓ Frequently Asked Questions – DVWA Lab Setup 2026

What is DVWA and why is it the standard practice target?
DVWA (Damn Vulnerable Web Application) is an intentionally vulnerable PHP/MySQL web app used by ethical hackers to practise common web vulnerabilities safely on localhost. It is the industry standard practice target because it covers all major vulnerability classes, shows source code at every security level, and is infinitely resettable — making it ideal for repeated practice until techniques become instinctive.
Should I use Docker or the manual install method?
Docker is recommended for most users — it requires no manual Apache/PHP configuration, works identically on any system, and can be completely reset with a single command. Use the manual install method if you want to modify DVWA’s PHP source code directly for advanced exercises, or if Docker is not available on your system.
What are the four DVWA security levels?
Low: no filtering — all vulnerabilities exploitable with basic payloads. Medium: simple blacklist filtering requiring bypass. High: stronger filtering requiring advanced techniques. Impossible: correct secure implementation (parameterised queries, CSP, token validation) — studying this level teaches secure coding practices alongside attack techniques.
How do I reset DVWA between practice sessions?
Docker: docker rm -f dvwa && docker run -d –name dvwa -p 80:80 vulnerables/web-dvwa. Manual install: navigate to /dvwa/setup.php and click “Create / Reset Database”. Both methods restore DVWA to a completely clean state, removing any data you added during practice.
Is DVWA safe to run on my computer?
Yes, when run correctly. DVWA should always run on an isolated network — localhost only, inside a VM with host-only networking, or on an offline machine. Never expose DVWA to the internet or a shared network — its intentional vulnerabilities are real and could be exploited by other users on the network.
What comes after this setup lab?
Lab 2 covers DVWA Brute Force — testing credentials using Hydra and Burp Intruder across all four security levels. Lab 3 covers Command Injection — injecting OS commands into web forms to achieve remote code execution. The full 30-lab sequence covers every DVWA module from basic exploitation through to Medium/High bypass techniques.

← Hub

DVWA Labs Hub

Next →

Lab 2: Brute Force — Hydra & Burp Intruder

📚 Further Reading

  • DVWA Lab 2: Brute Force 2026 — Use Hydra and Burp Suite Intruder against DVWA’s login form across all four security levels, including CSRF token bypass at High.
  • SQL Injection Tutorial for Beginners 2026 — Complete SQL injection guide that pairs directly with DVWA’s SQL Injection modules (Labs 7 and 8 in this series).
  • DVWA Labs Hub — The complete category page for all 30 DVWA lab articles in this series, organised by vulnerability type and difficulty.
  • DVWA Official GitHub Repository — Official DVWA source code, latest version, PHP 8.x compatibility notes, and installation documentation maintained by the original authors.
  • OWASP WebGoat Project — An alternative intentionally vulnerable application from OWASP, complementary to DVWA for covering additional vulnerability classes not in DVWA.

ME
Mr Elite
Owner, SecurityElites.com · Cybersecurity Trainer
I have set up DVWA more times than I can count — for students, on workshop laptops, in corporate training environments, and in my own lab. The Docker method I use in this guide is the result of years of finding the most reliable, repeatable setup that works identically for everyone. DVWA is where I developed the pattern recognition that makes real-world vulnerability hunting fast and systematic — and I have built this 30-lab series to give every student who follows this course that same foundation.

damn vulnerable web application setup dvwa configuration 2026 dvwa docker kali linux dvwa security levels practice hacking lab localhost

Leave a Reply

Your email address will not be published. Required fields are marked *