DVWA

DVWA (Damn Vulnerable Web Application) is a PHP web application intentionally built with security holes. Security professionals, students, and web developers use it to practice finding and exploiting common vulnerabilities in a safe, legal environment. It must only run on a private, offline machine or a virtual machine, never on a public server or shared hosting.

The application covers common web attacks at multiple difficulty levels, from beginner-friendly guided modes to harder, more realistic ones with no hints. There are also undocumented vulnerabilities hidden inside on purpose, giving advanced users extra things to find beyond the named challenges.

Getting it running requires a web server with PHP and a MariaDB database. On Windows or Mac, XAMPP handles that setup quickly. On Debian-based Linux systems like Kali or Ubuntu, a community-maintained automated install script can handle the whole process. Docker is also supported, letting you run the full environment in containers with a couple of commands.

The project is open source under the GNU General Public License. It is available in more than a dozen languages, including Chinese, Spanish, French, Russian, Korean, and Vietnamese, with community-contributed translations accepted via pull requests to the main repository.

One firm warning runs through the README: never put DVWA on a live, internet-connected server. The application is designed to be broken into, and the creators take no responsibility for any server that gets compromised through it. The full README is longer than what was shown.