Damn Vulnerable What?! The 2026 DVWA Installation Guide

DVWA (Damn Vulnerable Web App) is a PHP/MySQL web application designed to be vulnerable. Its main goals are to aid security professionals in testing their skills, help web developers understand how to secure web applications, and assist teachers in the classroom.

🛠️ Required Software for DVWA

To set up your penetration testing lab, you will need the following tools:

• XAMPP (Web server & database): Download Latest Version
  Note: Ensure you download a version compatible with PHP 8.x.
• DVWA Source Code: Official GitHub Repository
• Virtualization:
  • VMware Workstation Player: Download
  • Oracle VirtualBox: Download

🚀 Installation Guide (XAMPP Method)

WARNING: EDUCATIONAL PURPOSES ONLY.

Step 1: Install the Server

Install XAMPP for Windows. Open the XAMPP Control Panel (run as Administrator) and start both Apache and MySQL.

Step 2: Deploy the Files

1. Extract the downloaded DVWA ZIP file.
2. Rename the folder to dvwa.
3. Move this folder to your web root: C:\xampp\htdocs\dvwa

Step 3: Configure the Config File

Modern versions of DVWA require manual configuration:

1. Navigate to C:\xampp\htdocs\dvwa\config
2. Rename config.inc.php.dist to config.inc.php.
3. Open the file in a text editor.

Step 4: Connect the Database

Update the database settings (around line 20) to match XAMPP defaults:

$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'root';
$_DVWA[ 'db_password' ] = '';

Step 5: Finalize Setup

1. Go to http://127.0.0.1/dvwa/setup.php
2. Click Create / Reset Database.

Step 6: Login

Navigate to http://127.0.0.1/dvwa/login.php

• Username: admin
• Password: password

---

🌟 The Modern Method: Installing DVWA with Docker

In 2026, using Docker is safer and faster than XAMPP. Run this command:

docker run --rm -it -p 80:80 vulnerables/web-dvwa

Next Lesson: DVWA Lesson 2: Command Injection