[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-8143":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":34,"readmeContent":35,"aiSummary":36,"trendingCount":16,"starSnapshotCount":16,"syncStatus":37,"lastSyncTime":38,"discoverSource":39},8143,"DVWA","digininja\u002FDVWA","digininja","Damn Vulnerable Web Application (DVWA)","",null,"PHP",13203,4890,315,1,0,5,29,167,23,45,"GNU General Public License v3.0",false,"master",true,[27,28,29,30,31,32,33],"dvwa","hacking","infosec","php","security","sql-injection","training","2026-06-12 02:01:49","# DAMN VULNERABLE WEB APPLICATION\n\nDamn Vulnerable Web Application (DVWA) is a PHP\u002FMariaDB web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.\n\nThe aim of DVWA is to **practice some of the most common web vulnerabilities**, with **various levels of difficulty**, with a simple straightforward interface.\nPlease note, there are **both documented and undocumented vulnerabilities** with this software. This is intentional. You are encouraged to try and discover as many issues as possible.\n- - -\n\n## WARNING!\n\nDamn Vulnerable Web Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommended using a virtual machine (such as [VirtualBox](https:\u002F\u002Fwww.virtualbox.org\u002F) or [VMware](https:\u002F\u002Fwww.vmware.com\u002F)), which is set to NAT networking mode. Inside a guest machine, you can download and install [XAMPP](https:\u002F\u002Fwww.apachefriends.org\u002F) for the web server and database.\n\n### Disclaimer\n\nWe do not take responsibility for the way in which any one uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA, it is not our responsibility, it is the responsibility of the person\u002Fs who uploaded and installed it.\n\n- - -\n\n## License\n\nThis file is part of Damn Vulnerable Web Application (DVWA).\n\nDamn Vulnerable Web Application (DVWA) is free software: you can redistribute it and\u002For modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\nDamn Vulnerable Web Application (DVWA) is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with Damn Vulnerable Web Application (DVWA).  If not, see \u003Chttps:\u002F\u002Fwww.gnu.org\u002Flicenses\u002F>.\n\n- - -\n\n## Internationalisation\n\nThis file is available in multiple languages:\n\n- Arabic: [العربية](README.ar.md)\n- Chinese: [简体中文](README.zh.md)\n- French: [Français](README.fr.md)\n- Korean: [한국어](README.ko.md)\n- Persian: [فارسی](README.fa.md)\n- Polish: [Polski](README.pl.md)\n- Portuguese: [Português](README.pt.md)\n- Spanish: [Español](README.es.md)\n- Turkish: [Türkçe](README.tr.md)\n- Indonesia: [Indonesia](README.id.md)\n- Vietnamese: [Vietnamese](README.vi.md)\n- Italian: [Italiano](README.it.md)\n- Ukrainian: [Українська](README.uk.md)\n- Russian: [Русский](README.ru.md)\n\nIf you would like to contribute a translation, please submit a PR. Note though, this does not mean just run it through Google Translate and send that in, those will be rejected. Submit your translated version by adding a new 'README.xx.md' file where xx is the two-letter code of your desired language (based on [ISO 639-1](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FList_of_ISO_639-1_codes)).\n\n- - -\n\n## Download\n\nWhile there are various versions of DVWA around, the only supported version is the latest source from the official GitHub repository. You can either clone it from the repo:\n\n```sh\ngit clone https:\u002F\u002Fgithub.com\u002Fdigininja\u002FDVWA.git\n```\n\nOr [download a ZIP of the files](https:\u002F\u002Fgithub.com\u002Fdigininja\u002FDVWA\u002Farchive\u002Fmaster.zip).\n\n- - -\n\n## Installation\n\n### Automated Installation 🛠️\n\n**Note, this is not an official DVWA script, it was written by [IamCarron](https:\u002F\u002Fgithub.com\u002FiamCarron\u002F). A lot of work went into creating the script and, when it was created, it did not do anything malicious, however it is recommended you review the script before blindly running it on your system, just in case. Please report any bugs to [IamCarron](https:\u002F\u002Fgithub.com\u002FiamCarron\u002F), not here.**\n\nAn automated configuration script for DVWA on Debian-based machines, including Kali, Ubuntu, Kubuntu, Linux Mint, Zorin OS...\n\n**Note: This script requires root privileges and is tailored for Debian-based systems. Ensure you are running it as the root user.**\n\n#### Installation Requirements\n\n- **Operating System:** Debian-based system (Kali, Ubuntu, Kubuntu, Linux Mint, Zorin OS)\n- **Privileges:** Execute as root user\n\n#### Installation Steps\n\n##### One-Liner\n\nThis will download an install script written by [@IamCarron](https:\u002F\u002Fgithub.com\u002FIamCarron) and run it automatically. This would not be included here if we did not trust the author and the script as it was when we reviewed it, but there is always the chance of someone going rogue, and so if you don't feel safe running someone else's code without reviewing it yourself, follow the manual process and you can review it once downloaded.\n\n```sh\nsudo bash -c \"$(curl --fail --show-error --silent --location https:\u002F\u002Fraw.githubusercontent.com\u002FIamCarron\u002FDVWA-Script\u002Fmain\u002FInstall-DVWA.sh)\"\n```\n\n##### Manually Running the Script\n\n1. **Download the script:**\n\n   ```sh\n   wget https:\u002F\u002Fraw.githubusercontent.com\u002FIamCarron\u002FDVWA-Script\u002Fmain\u002FInstall-DVWA.sh\n   ```\n\n2. **Make the script executable:**\n\n   ```sh\n   chmod +x Install-DVWA.sh\n   ```\n\n3. **Run the script as root:**\n\n   ```sh\n   sudo .\u002FInstall-DVWA.sh\n   ```\n\n### Installation Videos\n\n- [Installing DVWA on Kali running in VirtualBox](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=WkyDxNJkgQ4)\n- [Installing DVWA on Windows using XAMPP](https:\u002F\u002Fyoutu.be\u002FYzksa_WjnY0)\n- [Installing Damn Vulnerable Web Application (DVWA) on Windows 10](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=cak2lQvBRAo)\n\n### Windows + XAMPP\n\nThe easiest way to install DVWA is to download and install [XAMPP](https:\u002F\u002Fwww.apachefriends.org\u002F) if you do not already have a web server setup.\n\nXAMPP is a very easy to install Apache Distribution for Linux, Solaris, Windows and Mac OS X. The package includes the Apache web server, MySQL, PHP, Perl, a FTP server and phpMyAdmin.\n\nThis [video](https:\u002F\u002Fyoutu.be\u002FYzksa_WjnY0) walks you through the installation process for Windows but it should be similar for other OSs.\n\n### Docker\n\nThanks to [hoang-himself](https:\u002F\u002Fgithub.com\u002Fhoang-himself) and [JGillam](https:\u002F\u002Fgithub.com\u002FJGillam), every commit to the `master` branch causes a Docker image to be built and ready to be pulled down from GitHub Container Registry.\n\nFor more information on what you are getting, you can browse [the prebuilt Docker images](https:\u002F\u002Fgithub.com\u002Fdigininja\u002FDVWA\u002Fpkgs\u002Fcontainer\u002Fdvwa).\n\n#### Getting Started\n\nPrerequisites: Docker and Docker Compose.\n\n- If you are using Docker Desktop, both of these should be already installed.\n- If you prefer Docker Engine on Linux, make sure to follow their [installation guide](https:\u002F\u002Fdocs.docker.com\u002Fengine\u002Finstall\u002F#server).\n\n**We provide support for the latest Docker release as shown above.**\nIf you are using Linux and the Docker package that came with your package manager, it will probably work too, but support will only be best-effort.\n\nUpgrading Docker from the package manager version to upstream requires that you uninstall the old versions as seen in their manuals for [Ubuntu](https:\u002F\u002Fdocs.docker.com\u002Fengine\u002Finstall\u002Fubuntu\u002F#uninstall-old-versions), [Fedora](https:\u002F\u002Fdocs.docker.com\u002Fengine\u002Finstall\u002Ffedora\u002F#uninstall-old-versions) and others.\nYour Docker data (containers, images, volumes, etc.) should not be affected, but in case you do run into a problem, make sure to [tell Docker](https:\u002F\u002Fwww.docker.com\u002Fsupport) and use search engines in the mean time.\n\nThen, to get started:\n\n1. Run `docker version` and `docker compose version` to see if you have Docker and Docker Compose properly installed. You should be able to see their versions in the output.\n\n    For example:\n\n    ```text\n    >>> docker version\n    Client:\n     [...]\n     Version:           23.0.5\n     [...]\n\n    Server: Docker Desktop 4.19.0 (106363)\n     Engine:\n      [...]\n      Version:          23.0.5\n      [...]\n\n    >>> docker compose version\n    Docker Compose version v2.17.3\n    ```\n\n    If you don't see anything or get a command not found error, follow the prerequisites to setup Docker and Docker Compose.\n\n2. Clone or download this repository and extract (see [Download](#download)).\n3. Open a terminal of your choice and change its working directory into this folder (`DVWA`).\n4. Run `docker compose up -d`.\n\nDVWA is now available at `http:\u002F\u002Flocalhost:4280`.\n\n**Notice that for running DVWA in containers, the web server is listening on port 4280 instead of the usual port of 80.**\nFor more information on this decision, see [I want to run DVWA on a different port](#i-want-to-run-dvwa-on-a-different-port).\n\n#### Local Build\n\nIf you made local changes and want to build the project from local, go to `compose.yml` and change `pull_policy: always` to `pull_policy: build`.\n\nRunning `docker compose up -d` should trigger Docker to build an image from local regardless of what is available in the registry.\n\nSee also: [`pull_policy`](https:\u002F\u002Fgithub.com\u002Fcompose-spec\u002Fcompose-spec\u002Fblob\u002Fmaster\u002F05-services.md#pull_policy).\n\n#### Serve local files\n\nIf your making local changes and don't want to build the project for every change :\n1. Go to `compose.yml` and uncomment :\n    ```\n        # volumes:\n        #   - .\u002F:\u002Fvar\u002Fwww\u002Fhtml\n    ```\n2. Run `cp config\u002Fconfig.inc.php.dist config\u002Fconfig.inc.php` to copy the default config file.\n3. Run `docker compose up -d` and changes to local files will reflect on the container.\n\n### PHP Versions\n\nIdeally you should be using the latest stable version of PHP as that is the version that this app will be developed and tested on.\n\nSupport will not be given for anyone trying to use PHP 5.x.\n\nVersions less than 7.3 have known issues that will cause problems, most of the app will work, but random things may not. Unless you have a very good reason for using such an old version, support will not be given.\n\n### Linux Packages\n\nIf you are using a Debian based Linux distribution, you will need to install the following packages _(or their equivalent)_:\n\n- apache2\n- libapache2-mod-php\n- mariadb-server\n- mariadb-client\n- php php-mysqli\n- php-gd\n\nI would recommend doing an update before this, just so you make sure you are going to get the latest version of everything.\n\n```sh\napt update\napt install -y apache2 mariadb-server mariadb-client php php-mysqli php-gd libapache2-mod-php\n```\n\nThe site will work with MySQL instead of MariaDB but we strongly recommend MariaDB as it works out of the box whereas you have to make changes to get MySQL to work correctly.\n\n### Apache Modules\n\nIf you want to use the API lab you must have the Apache module `mod_rewrite` enabled. To do this in Linux run:\n\n```\na2enmod rewrite\n```\n\nAnd then restart Apache with:\n\n```\napachectl restart\n```\n\n### Vendor Files\n\nIf you want to use the API module you will need to install a set of vendor files using [Composer](https:\u002F\u002Fgetcomposer.org\u002F).\n\nFirst, make sure you have Composer installed. There seem to be backward compatibility issues so I always get the latest version from here:\n\nhttps:\u002F\u002Fgetcomposer.org\u002Fdoc\u002F00-intro.md\n\nFollow the instructions the site gives to get it installed.\n\nNow go into the `vulnerabilities\u002Fapi` directory and run:\n\n```\ncomposer.phar install\n```\n\nIf you did not install Composer to the system path, make sure you reference its full location.\n\n## Configurations\n\n### Config File\n\nDVWA ships with a dummy copy of its config file which you will need to copy into place and then make the appropriate changes. On Linux, assuming you are in the DVWA directory, this can be done as follows:\n\n`cp config\u002Fconfig.inc.php.dist config\u002Fconfig.inc.php`\n\nOn Windows, this can be a bit harder if you are hiding file extensions, if you are unsure about this, this blog post explains more about it:\n\n[How to Make Windows Show File Extensions](https:\u002F\u002Fwww.howtogeek.com\u002F205086\u002Fbeginner-how-to-make-windows-show-file-extensions\u002F)\n\n### Config with environment variables\n\nInstead of modifying the configuration file, you can also set most settings using environment variables. In a Docker or Kubernetes deployment, this allows you to modify the configuration without creating a new Docker image. You'll find the variables in the [config\u002Fconfig.inc.php.dist](config\u002Fconfig.inc.php.dist) file.\n\nIf you want to set the default security level to \"low\", simply add the following line to the [compose.yml](.\u002Fcompose.yml) file:\n\n```yml\nenvironment:\n  - DB_SERVER=db\n  - DEFAULT_SECURITY_LEVEL=low\n```\n\n### Database Setup\n\nTo set up the database, simply click on the `Setup DVWA` button in the main menu, then click on the `Create \u002F Reset Database` button. This will create \u002F reset the database for you with some data in.\n\nIf you receive an error while trying to create your database, make sure your database credentials are correct within `.\u002Fconfig\u002Fconfig.inc.php`. _This differs from config.inc.php.dist, which is an example file._\n\nThe variables are set to the following by default:\n\n```php\n$_DVWA[ 'db_server'] = '127.0.0.1';\n$_DVWA[ 'db_port'] = '3306';\n$_DVWA[ 'db_user' ] = 'dvwa';\n$_DVWA[ 'db_password' ] = 'p@ssw0rd';\n$_DVWA[ 'db_database' ] = 'dvwa';\n```\n\nNote, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can't use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands:\n\n```mariadb\nMariaDB [(none)]> create database dvwa;\nQuery OK, 1 row affected (0.00 sec)\n\nMariaDB [(none)]> create user dvwa@localhost identified by 'p@ssw0rd';\nQuery OK, 0 rows affected (0.01 sec)\n\nMariaDB [(none)]> grant all on dvwa.* to dvwa@localhost;\nQuery OK, 0 rows affected (0.01 sec)\n\nMariaDB [(none)]> flush privileges;\nQuery OK, 0 rows affected (0.00 sec)\n```\n\n### Disable Authentication\n\nSome tools don't work well with authentication so can't be used with DVWA. To get around this, there is a config option to disable authentication checking. To do this, simply set the following in the config file:\n\n```php\n$_DVWA[ 'disable_authentication' ] = true;\n```\n\nYou will also need to set the security level to one that is appropriate to the testing you want to do:\n\n```php\n$_DVWA[ 'default_security_level' ] = 'low';\n```\n\nIn this state, you can access all the features without needing to log in and set any cookies.\n\n### Folder Permissions\n\n- `.\u002Fhackable\u002Fuploads\u002F` - Needs to be writeable by the web service (for File Upload).\n\n### PHP Configuration\n\nOn Linux systems, likely found in `\u002Fetc\u002Fphp\u002Fx.x\u002Ffpm\u002Fphp.ini` or `\u002Fetc\u002Fphp\u002Fx.x\u002Fapache2\u002Fphp.ini`.\n\n- To allow  Remote File Inclusions (RFI):\n  - `allow_url_include = on` [[allow_url_include](https:\u002F\u002Fsecure.php.net\u002Fmanual\u002Fen\u002Ffilesystem.configuration.php#ini.allow-url-include)]\n  - `allow_url_fopen = on` [[allow_url_fopen](https:\u002F\u002Fsecure.php.net\u002Fmanual\u002Fen\u002Ffilesystem.configuration.php#ini.allow-url-fopen)]\n\n- To make sure PHP shows all error messages:\n  - `display_errors = on` [[display_errors](https:\u002F\u002Fsecure.php.net\u002Fmanual\u002Fen\u002Ferrorfunc.configuration.php#ini.display-errors)]\n  - `display_startup_errors = on` [[display_startup_errors](https:\u002F\u002Fsecure.php.net\u002Fmanual\u002Fen\u002Ferrorfunc.configuration.php#ini.display-startup-errors)]\n\nMake sure you restart the php service or Apache after making the changes.\n\n### reCAPTCHA\n\nThis is only required for the \"Insecure CAPTCHA\" lab, if you aren't playing with that lab, you can ignore this section.\n\nGenerated a pair of API keys from \u003Chttps:\u002F\u002Fwww.google.com\u002Frecaptcha\u002Fadmin\u002Fcreate>.\n\nThese then go in the following sections of `.\u002Fconfig\u002Fconfig.inc.php`:\n\n- `$_DVWA[ 'recaptcha_public_key' ]`\n- `$_DVWA[ 'recaptcha_private_key' ]`\n\n### Default Credentials\n\n**Default username = `admin`**\n\n**Default password = `password`**\n\n_...can easily be brute forced ;)_\n\nLogin URL: \u003Chttp:\u002F\u002F127.0.0.1\u002Flogin.php>\n\n_Note: This will be different if you installed DVWA into a different directory._\n\n- - -\n\n## Troubleshooting\n\nThese assume you are on a Debian based distro, such as Debian, Ubuntu and Kali. For other distros, follow along, but update the command where appropriate.\n\nIf you'd rather watch a video than read words, the most common issues are covered in the video [Fixing DVWA Setup Issues](https:\u002F\u002Fyoutu.be\u002FC-kig5qrPSA?si=_a4Bop505-1tXb_F).\n\n### Containers\n\n#### I want to access the logs\n\nIf you are using Docker Desktop, logs can be accessed from the graphical application.\nSome minor details may change with newer versions, but the access method should be the same.\n\n![Overview of DVWA compose](.\u002Fdocs\u002Fgraphics\u002Fdocker\u002Foverview.png)\n![Viewing DVWA logs](docs\u002Fgraphics\u002Fdocker\u002Fdetail.png)\n\nLogs can also be accessed from the terminal.\n\n1. Open a terminal and change its working directory to DVWA\n2. Show the merged logs\n\n    ```sh\n    docker compose logs\n    ```\n\n   In case you want to export the logs to a file, e.g. `dvwa.log`\n\n   ```sh\n   docker compose logs > dvwa.log\n   ```\n\n#### I want to run DVWA on a different port\n\nWe don't use port 80 by default for a few reasons:\n\n- Some users might already be running something on port 80.\n- Some users might be using a rootless container engine (like Podman), and 80 is a privileged port (\u003C 1024). Additional configuration (e.g. setting `net.ipv4.ip_unprivileged_port_start`) is required, but you will have to research on your own.\n\nYou can expose DVWA on a different port by changing the port binding in the `compose.yml` file.\nFor example, you can change\n\n```yml\nports:\n  - 127.0.0.1:4280:80\n```\n\nto\n\n```yml\nports:\n  - 127.0.0.1:8806:80\n```\n\nDVWA is now accessible at `http:\u002F\u002Flocalhost:8806`.\n\nIn cases in which you want DVWA to not only be accessible exclusively from your own device, but\non your local network too (e.g. because you are setting up a test machine for a workshop), you\ncan remove the `127.0.0.1:` from the port mapping (or replace it with you LAN IP). This way it\nwill listen on all available device. The safe default should always be to only listen on your\nlocal loopback device. After all, it is a damn vulnerable web application, running on your machine.\n\n#### DVWA auto starts when Docker runs\n\nThe included [`compose.yml`](.\u002Fcompose.yml) file automatically runs DVWA and its database when Docker starts.\n\nTo disable this, you can delete or comment out the `restart: unless-stopped` lines in the [`compose.yml`](.\u002Fcompose.yml) file.\n\nIf you want to disable this behavior temporarily, you can run `docker compose stop`, or use Docker Desktop, find `dvwa` and click Stop.\nAdditionally, you can delete the containers, or run `docker compose down`.\n\n### Log files\n\nOn Linux systems Apache generates two log files by default, `access.log` and `error.log` and on Debian based system these are usually found in `\u002Fvar\u002Flog\u002Fapache2\u002F`.\n\nWhen submitting error reports, problems, anything like that, please include at least the last five lines from each of these files. On Debian based systems you can get these like this:\n\n```sh\ntail -n 5 \u002Fvar\u002Flog\u002Fapache2\u002Faccess.log \u002Fvar\u002Flog\u002Fapache2\u002Ferror.log\n```\n\n### I browsed to the site and got a 404 or Apache2 default page\n\n[Video Help](https:\u002F\u002Fyoutu.be\u002FC-kig5qrPSA?si=wTS3Aj8fycW3Idfr&t=141)\n\nIf you are having this problem you need to understand file locations. By default, the Apache document root (the place it starts looking for web content) is `\u002Fvar\u002Fwww\u002Fhtml`. If you put the file `hello.txt` in this directory, to access it you would browse to `http:\u002F\u002Flocalhost\u002Fhello.txt`.\n\nIf you created a directory and put the file in there - `\u002Fvar\u002Fwww\u002Fhtml\u002Fmydir\u002Fhello.txt` - you would then need to browse to `http:\u002F\u002Flocalhost\u002Fmydir\u002Fhello.txt`.\n\nLinux is by default case sensitive and so in the example above, if you tried to browse to any of these, you would get a `404 Not Found`:\n\n- `http:\u002F\u002Flocalhost\u002FMyDir\u002Fhello.txt`\n- `http:\u002F\u002Flocalhost\u002Fmydir\u002FHello.txt`\n- `http:\u002F\u002Flocalhost\u002FMYDIR\u002Fhello.txt`\n\nHow does this affect DVWA? Most people use git to clone DVWA into `\u002Fvar\u002Fwww\u002Fhtml`, this gives them the directory `\u002Fvar\u002Fwww\u002Fhtml\u002FDVWA\u002F` with all the DVWA files inside it. They then browse to `http:\u002F\u002Flocalhost\u002F` and get either a `404` or the default Apache welcome page. As the files are in DVWA, you must browse to `http:\u002F\u002Flocalhost\u002FDVWA`.\n\nThe other common mistake is to browse to `http:\u002F\u002Flocalhost\u002Fdvwa` which will give a `404` because `dvwa` is not `DVWA` as far as Linux directory matching is concerned.\n\nSo after setup, if you try to visit the site and get a `404`, think about where you installed the files to, where they are relative to the document root, and what the case of the directory you used is.\n\n### I browsed to the site and got a blank screen\n\n[Video Help](https:\u002F\u002Fyoutu.be\u002FC-kig5qrPSA?si=wTS3Aj8fycW3Idfr&t=243)\n\nThis is usually one configuration issue hiding another issue. By default, PHP does not display errors, and so if you forgot to turn error display on during the setup process, any other problems, such as failure to connect to the database, will stop the app from loading but the message to tell you what is wrong will be hidden.\n\nTo fix this, make sure you set `display_errors` and `display_startup_errors` as covered in [PHP Configuration](#php-configuration) and then restart Apache.\n\n### \"Access denied\" running setup\n\nIf you see the following when running the setup script it means the username or password in the config file do not match those configured on the database. [Video Help](https:\u002F\u002Fyoutu.be\u002FC-kig5qrPSA?si=_a4Bop505-1tXb_F&t=973)\n\n```mariadb\nDatabase Error #1045: Access denied for user 'notdvwa'@'localhost' (using password: YES).\n```\n\nThe error is telling you that you are using the username `notdvwa`.\n\nThe following error says you have pointed the config file at the wrong database. [Video Help](https:\u002F\u002Fyoutu.be\u002FC-kig5qrPSA?si=_a4Bop505-1tXb_F&t=630)\n\n```mariadb\nSQL: Access denied for user 'dvwa'@'localhost' to database 'notdvwa'\n```\n\nIt is saying that you are using the user `dvwa` and trying to connect to the database `notdvwa`.\n\nThe first thing to do is to double check what you think you put in the config file is what is actually there.\n\nIf it matches what you expect, the next thing to do is to check you can log in as the user on the command line. Assuming you have a database user of `dvwa` and a password of `p@ssw0rd`, run the following command:\n\n```sh\nmysql -u dvwa -pp@ssw0rd -D dvwa\n```\n\n_Note: There is no space after the -p_\n\nIf you see the following, the password is correct:\n\n```mariadb\nWelcome to the MariaDB monitor.  Commands end with ; or \\g.\nYour MariaDB connection id is 14\nServer version: 10.3.22-MariaDB-0ubuntu0.19.10.1 Ubuntu 19.10\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nMariaDB [dvwa]>\n```\n\nAs you can connect on the command line, it is likely something wrong in the config file, double check that and then raise an issue if you still can't get things working.\n\nIf you see the following, the username or password you are using is wrong. Repeat the [Database Setup](#database-setup) steps and make sure you use the same username and password throughout the process.\n\n```mariadb\nERROR 1045 (28000): Access denied for user 'dvwa'@'localhost' (using password: YES)\n```\n\nIf you get the following, the user credentials are correct but the user does not have access to the database. Again, repeat the setup steps and check the database name you are using.\n\n```mariadb\nERROR 1044 (42000): Access denied for user 'dvwa'@'localhost' to database 'dvwa'\n```\n\nThe final error you could get is this:\n\n```mariadb\nERROR 2002 (HY000): Can't connect to local MySQL server through socket '\u002Fvar\u002Frun\u002Fmysqld\u002Fmysqld.sock' (2)\n```\n\nThis is not an authentication issue but tells you that the database server is not running. Start it with the following\n\n```sh\nsudo service mysql start\n```\n\n### Connection Refused\n\n[Video Help](https:\u002F\u002Fyoutu.be\u002FC-kig5qrPSA?si=_a4Bop505-1tXb_F&t=444)\n\nAn error similar to this one:\n\n```mariadb\nFatal error: Uncaught mysqli_sql_exception: Connection refused in \u002Fvar\u002Fsites\u002Fdvwa\u002Fnon-secure\u002Fhtdocs\u002Fdvwa\u002Fincludes\u002FdvwaPage.inc.php:535\n```\n\nMeans your database server is not running or you've got the wrong IP address in the config file.\n\nCheck this line in the config file to see where the database server is expected to be:\n\n```php\n$_DVWA[ 'db_server' ]   = '127.0.0.1';\n```\n\nThen go to this server and check that it is running. In Linux this can be done with:\n\n```sh\nsystemctl status mariadb.service\n```\n\nAnd you are looking for something like this, the important bit is that it says `active (running)`.\n\n```sh\n● mariadb.service - MariaDB 10.5.19 database server\n     Loaded: loaded (\u002Flib\u002Fsystemd\u002Fsystem\u002Fmariadb.service; enabled; preset: enabled)\n     Active: active (running) since Thu 2024-03-14 16:04:25 GMT; 1 week 5 days ago\n```\n\nIf it is not running, you can start it with:\n\n```sh\nsudo systemctl stop mariadb.service \n```\n\nNote the `sudo` and make sure you put your Linux user password in if requested.\n\nIn Windows, check the status in the XAMPP console.\n\n### Unknown authentication method\n\nWith the most recent versions of MySQL, PHP can no longer talk to the database in its default configuration. If you try to run the setup script and get the following message it means you have configuration.\n\n```mariadb\nDatabase Error #2054: The server requested authentication method unknown to the client.\n```\n\nYou have two options, the easiest is to uninstall MySQL and install MariaDB. The following is the official guide from the MariaDB project:\n\n\u003Chttps:\u002F\u002Fmariadb.com\u002Fresources\u002Fblog\u002Fhow-to-migrate-from-mysql-to-mariadb-on-linux-in-five-steps\u002F>\n\nAlternatively, follow these steps:\n\n1. As root, edit the following file: `\u002Fetc\u002Fmysql\u002Fmysql.conf.d\u002Fmysqld.cnf`\n1. Under the line `[mysqld]`, add the following:\n  `default-authentication-plugin=mysql_native_password`\n1. Restart the database: `sudo service mysql restart`\n1. Check the authentication method for your database user:\n\n    ```sql\n    mysql> select Host,User, plugin from mysql.user where mysql.user.User = 'dvwa';\n    +-----------+------------------+-----------------------+\n    | Host      | User             | plugin                |\n    +-----------+------------------+-----------------------+\n    | localhost | dvwa             | caching_sha2_password |\n    +-----------+------------------+-----------------------+\n    1 rows in set (0.00 sec)\n    ```\n\n1. You'll likely see `caching_sha2_password`. If you do, run the following command:\n\n    ```sql\n    mysql> ALTER USER dvwa@localhost IDENTIFIED WITH mysql_native_password BY 'p@ssw0rd';\n    ```\n\n1. Re-running the check, you should now see `mysql_native_password`.\n\n    ```sql\n    mysql> select Host,User, plugin from mysql.user where mysql.user.User = 'dvwa';\n    +-----------+------+-----------------------+\n    | Host      | User | plugin                |\n    +-----------+------+-----------------------+\n    | localhost | dvwa | mysql_native_password |\n    +-----------+------+-----------------------+\n    1 row in set (0.00 sec)\n    ```\n\nAfter all that, the setup process should now work as normal.\n\nIf you want more information see the following page: \u003Chttps:\u002F\u002Fwww.php.net\u002Fmanual\u002Fen\u002Fmysqli.requirements.php>.\n\n### Database Error #2002: No such file or directory\n\nThe database server is not running. In a Debian based distro this can be done with:\n\n```sh\nsudo service mysql start\n```\n\n### Errors \"MySQL server has gone away\" and \"Packets out of order\"\n\nThere are a few reasons you could be getting these errors, but the most likely is the version of database server you are running is not compatible with the version of PHP.\n\nThis is most commonly found when you are running the latest version of MySQL as PHP and it do not get on well. Best advice, ditch MySQL and install MariaDB as this is not something we can support.\n\nFor more information, see:\n\n\u003Chttps:\u002F\u002Fwww.ryadel.com\u002Fen\u002Ffix-mysql-server-gone-away-packets-order-similar-mysql-related-errors\u002F>\n\n### Why can't the database connect on CentOS?\n\nYou may be running into problems with SELinux.  Either disable SELinux or run this command to allow the web server to talk to the database:\n\n```sh\nsetsebool -P httpd_can_network_connect_db 1\n```\n\n### MariaDB Docker does not start\n\nIf you see the following error in the Docker logs while trying to start MariaDB, it is likely due to the host machine not having enough memory. If you are using this in a hosted environment, the best solution is to step up a machine size to get more memory and to try again.\n\n```\n[Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:10.11.15+maria~ubu2204 started.\n[Warn] [Entrypoint]: \u002Fsys\u002Ffs\u002Fcgroup\u002F\u002F\u002Fmemory.pressure not writable, functionality unavailable to MariaDB\n```\n\nYou might also need to add the following line to the volumes section of your `compose.yml` file:\n\n```\n- \u002Fsys\u002Ffs\u002Fcgroup\u002Fmemory.pressure:\u002Fsys\u002Ffs\u002Fcgroup\u002Fmemory.pressure\n```\n\nDoing that would change the volumes section of a default config file to the following:\n\n```\n     volumes:\n       - dvwa:\u002Fvar\u002Flib\u002Fmysql\n       - \u002Fsys\u002Ffs\u002Fcgroup\u002Fmemory.pressure:\u002Fsys\u002Ffs\u002Fcgroup\u002Fmemory.pressure\n```\n\nFor more information on why this works, see [this issue](https:\u002F\u002Fgithub.com\u002FMariaDB\u002Fmariadb-docker\u002Fissues\u002F626).\n\n### Anything Else\n\nFor the latest troubleshooting information please read both open and closed tickets in the git repo:\n\n\u003Chttps:\u002F\u002Fgithub.com\u002Fdigininja\u002FDVWA\u002Fissues>\n\nBefore submitting a ticket, please make sure you are running the latest version of the code from the repo. This is not the latest release, this is the latest code from the master branch.\n\nIf raising a ticket, please submit at least the following information:\n\n- Operating System\n- The last 5 lines from the web server error log directly after whatever error you are reporting occurs\n- If it is a database authentication problem, go through the steps above and screenshot each step. Submit these along with a screenshot of the section of the config file showing the database user and password.\n- A full description of what is going wrong, what you expect to happen, and what you have tried to do to fix it. \"login broken\" is no enough for us to understand your problem and to help fix it.\n\n- - -\n\n## Tutorials\n\nI am going to try to put together some tutorial videos that walk through some of the vulnerabilities and show how to detect them and then how to exploit them. Here are the ones I've made so far:\n\n[Finding and Exploiting Reflected XSS](https:\u002F\u002Fyoutu.be\u002FV4MATqtdxss)\n\n- - -\n\n## SQLite3 SQL Injection\n\n_Support for this is limited, before raising issues, please ensure you are prepared to work on debugging, do not simply claim \"it does not work\"._\n\nBy default, SQLi and Blind SQLi are done against the MariaDB\u002FMySQL server used by the site but it is possible to switch to do the SQLi testing against SQLite3 instead.\n\nI am not going to cover how to get SQLite3 working with PHP, but it should be a simple case of installing the `php-sqlite3` package and making sure it is enabled.\n\nTo make the switch, simply edit the config file and add or edit these lines:\n\n```php\n$_DVWA[\"SQLI_DB\"] = \"sqlite\";\n$_DVWA[\"SQLITE_DB\"] = \"sqli.db\";\n```\n\nBy default it uses the file `database\u002Fsqli.db`, if you mess it up, simply copy `database\u002Fsqli.db.dist` over the top.\n\nThe challenges are exactly the same as for MariaDB, they just run against SQLite3 instead.\n\n- - -\n\n👨‍💻 Contributors\n-----\n\nThanks for all your contributions and keeping this project updated. :heart:\n\nIf you have an idea, some kind of improvement or just simply want to collaborate, you are welcome to contribute and participate in the Project, feel free to send your PR.\n\n\u003Cp align=\"center\">\n\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fdigininja\u002FDVWA\u002Fgraphs\u002Fcontributors\">\n  \u003Cimg src=\"https:\u002F\u002Fcontrib.rocks\u002Fimage?repo=digininja\u002FDVWA&max=500\">\n\u003C\u002Fa>\n\u003C\u002Fp>\n\n- - -\n\n## Reporting Vulnerabilities\n\nTo put it simply, please don't!\n\nOnce a year or so, someone will submit a report for a vulnerability they've found in the app, some are well written, sometimes better than I've seen in paid pen test reports, some are just \"you are missing headers, pay me\".\n\nIn 2023, this elevated to a whole new level when someone decided to request a CVE for one of the vulnerabities, they were given [CVE-2023-39848](https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-39848). Much hilarity ensued and time was wasted getting this corrected.\n\nThe app has vulnerabilities, it is deliberate. Most are the well documented ones that you work through as lessons, others are \"hidden\" ones, ones to find on your own. If you really want to show off your skills at finding the hidden extras, write a blog post or create a video as there are probably people out there who would be interested in learning about them and about how your found them. If you send us the link, we may even include it in the references.\n\n## Links\n\nProject Home: \u003Chttps:\u002F\u002Fgithub.com\u002Fdigininja\u002FDVWA>\n\n_Created by the DVWA team_\n","Damn Vulnerable Web Application (DVWA) 是一个基于PHP和MariaDB的极度脆弱的Web应用程序，旨在帮助安全专业人员在合法环境中测试技能和工具，同时让Web开发者更好地理解保护Web应用的过程，并支持学生和教师在一个受控的课堂环境中学习Web应用安全。其核心功能包括提供多种难度级别的常见Web漏洞练习，界面简单直观。DVWA故意包含已记录和未记录的安全漏洞以供探索发现。适合用于教育和培训场景，特别推荐在虚拟机中使用，切勿将其部署到任何面向互联网的服务器上以免造成安全风险。",2,"2026-06-11 03:16:22","top_language"]