Legal Disclaimer: This lab is for educational and ethical hacking practice only. DVWA is an intentionally vulnerable web application. Never deploy it on a public server or a network you don't own. Only use it in a controlled, isolated environment. The author is not responsible for any misuse.
Built by Hassan Ansari πΈ @trickyhash | π₯ YouTube | π GitHub @th3hash | π¦ X | πΌ LinkedIn
DVWA (Damn Vulnerable Web Application) is a PHP/MySQL web application that is intentionally vulnerable. It is designed to help security professionals and students practice common web vulnerabilities in a legal, safe environment.
Vulnerabilities it covers:
- SQL Injection
- Cross-Site Scripting (XSS)
- Command Injection
- File Inclusion
- Brute Force
- CSRF
- And more...
Official DVWA Repo: https://github.com/digininja/DVWA
Running DVWA directly on your machine requires setting up PHP, MySQL, Apache and configuring them manually β which is painful and error-prone. Docker packages everything together so you can spin it up with one command.
Official Docker Docs: https://docs.docker.com Docker Hub DVWA Image: https://hub.docker.com/r/vulnerables/web-dvwa
- Prerequisites
- Install Docker
- Common Mistakes When Installing Docker
- Run DVWA with Docker
- Common Mistakes When Setting Up DVWA
- First Login and Database Setup
- Setting Security Levels
- Stopping and Cleaning Up
- Using Docker Compose (Recommended)
- Resources and Further Learning
Before starting, make sure you have:
- A 64-bit system (Linux, macOS, or Windows 10/11 with WSL2)
- At least 2GB of free RAM
- Internet connection
- Basic comfort with a terminal or command prompt
Follow the official guide exactly: π https://docs.docker.com/engine/install/ubuntu/
# Step 1: Update your package index
sudo apt-get update
# Step 2: Install required packages
sudo apt-get install ca-certificates curl gnupg
# Step 3: Add Docker's official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Step 4: Set up the Docker repository
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Step 5: Install Docker Engine
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-pluginDownload Docker Desktop: π https://docs.docker.com/desktop/install/mac-install/
Docker Desktop for Windows (requires WSL2): π https://docs.docker.com/desktop/install/windows-install/
docker --version
docker run hello-worldIf hello-world runs without errors, Docker is working correctly.
These are real mistakes people make. Learn from them so you don't waste hours debugging.
What people do:
sudo apt install docker.ioWhy it's wrong:
The docker.io package from Ubuntu's default repo is an older, community-maintained version. It is often outdated and missing features like docker compose (v2).
What to do instead: Always install from Docker's official repo as shown in the steps above.
π Reference: https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository
What people do: After installing Docker they immediately run:
docker run hello-worldWhat happens:
permission denied while trying to connect to the Docker daemon socket
Why it happens:
By default, Docker requires sudo. Every command needs sudo docker unless you add your user to the docker group.
Fix:
sudo usermod -aG docker $USER
newgrp dockerThen log out and log back in. Verify with:
docker run hello-worldπ Reference: https://docs.docker.com/engine/install/linux-postinstall/
What happens:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
Fix:
sudo systemctl start docker
sudo systemctl enable docker # makes it start on bootWhat people do:
docker-compose upWhat happens:
command not found: docker-compose
Why:
Docker has moved to docker compose (with a space) as a built-in plugin in v2. The old standalone binary docker-compose is deprecated.
Fix:
docker compose upπ Reference: https://docs.docker.com/compose/migrate/
What happens: Docker Desktop fails to start or containers crash randomly.
Fix: Enable WSL2 backend in Docker Desktop settings and install the WSL2 kernel update package.
π Reference: https://docs.docker.com/desktop/wsl/
Once Docker is installed and running, fire up DVWA with a single command:
docker run --rm -it -p 80:80 vulnerables/web-dvwaWhat this command does:
| Flag | Meaning |
|---|---|
--rm |
Automatically removes the container when you stop it |
-it |
Interactive terminal (keeps it running) |
-p 80:80 |
Maps port 80 on your machine to port 80 inside the container |
vulnerables/web-dvwa |
The Docker Hub image for DVWA |
Now open your browser and go to:
http://localhost
or
http://127.0.0.1
What happens:
Error starting userland proxy: listen tcp4 0.0.0.0:80: bind: address already in use
Why: Something is already running on port 80 on your machine. Common culprits: Apache, Nginx, or another web server.
Fix: Use a different port:
docker run --rm -it -p 8080:80 vulnerables/web-dvwaThen access DVWA at http://localhost:8080
What happens:
You close the terminal or hit Ctrl+C. The container stops and all your progress (database, session) is wiped because of the --rm flag.
Fix: Run the container in detached mode so it keeps running in the background:
docker run -d -p 80:80 --name dvwa vulnerables/web-dvwa| Flag | Meaning |
|---|---|
-d |
Detached mode (runs in background) |
--name dvwa |
Gives the container a name so you can reference it easily |
Stop it later with:
docker stop dvwaWhat happens: You open DVWA in the browser and see a page with red error messages about database connection.
Why: The database needs to be initialized on first run. People skip this step thinking DVWA is already ready to use.
Fix:
After opening http://localhost, scroll to the bottom and click the "Create / Reset Database" button. The page will reload and then you can log in.
See Section 6 for full steps.
What people do: They search random Docker Hub images and pull unofficial versions that might be outdated or tampered with.
Fix: Only use the official image:
docker pull vulnerables/web-dvwaDocker Hub: https://hub.docker.com/r/vulnerables/web-dvwa DVWA GitHub: https://github.com/digininja/DVWA
What happens: The page shows a connection refused error right after running the command.
Why: The container takes a few seconds (sometimes 10-15 seconds) to fully start Apache and MySQL inside.
Fix: Wait 10-15 seconds after running the Docker command before opening the browser. If using detached mode, check the logs:
docker logs dvwaPeople get stuck at the login page because they don't know the default username and password.
Default DVWA credentials:
| Field | Value |
|---|---|
| Username | admin |
| Password | password |
- Open
http://localhostin your browser - You will land on the DVWA setup page. It shows a list of checks (green = good, red = needs fixing)
- Scroll to the bottom and click "Create / Reset Database"
- DVWA will redirect you to the login page
- Log in with: admin / password
- You are now inside the DVWA dashboard
Tip: You will see a warning that PHP configuration is not ideal. For a local lab, you can ignore most of these warnings. The important thing is the database setup completes successfully.
DVWA lets you change the difficulty of the vulnerabilities. This is one of its best features.
Go to: DVWA Security tab in the left menu
| Level | What it means |
|---|---|
| Low | No security. Perfect for beginners. Vulnerabilities are wide open. |
| Medium | Some basic filters applied. You need to bypass them. |
| High | Harder filters. Challenges intermediate learners. |
| Impossible | Secure code. Use it to understand how things should be done. |
Start at Low if you are learning for the first time.
Press Ctrl+C in the terminal.
docker stop dvwa
docker rm dvwadocker rmi vulnerables/web-dvwadocker psdocker ps -aInstead of typing a long docker run command every time, use Docker Compose. It is cleaner and easier to manage.
Create a file called docker-compose.yml in your project folder:
version: "3"
services:
dvwa:
image: vulnerables/web-dvwa
ports:
- "80:80"
restart: unless-stoppedThen run:
docker compose up -dStop it with:
docker compose downπ Docker Compose Docs: https://docs.docker.com/compose/
The docker-compose.yml file is already included in this repo. You can use it directly.
| Resource | Link |
|---|---|
| Docker Install Docs | https://docs.docker.com/engine/install/ |
| Docker Post Install (Linux) | https://docs.docker.com/engine/install/linux-postinstall/ |
| Docker Compose Docs | https://docs.docker.com/compose/ |
| DVWA GitHub Repo | https://github.com/digininja/DVWA |
| DVWA Docker Hub Image | https://hub.docker.com/r/vulnerables/web-dvwa |
| Docker Hub | https://hub.docker.com |
If you found this useful and want to go deeper into ethical hacking and web application security, here are my resources:
| Platform | Link |
|---|---|
| π Website | hackproofhacks.com |
| πΈ Instagram | @trickyhash |
| π₯ YouTube | @trickyhash |
| π¦ X (Twitter) | @trickyhash |
| πΌ LinkedIn | @trickyhash |
| π GitHub | @th3hash |
I also offer one-on-one mentorship for people serious about learning ethical hacking and penetration testing. Check out hackproofhacks.com for details.
Found a mistake? Want to add more common errors or improve this guide? Open a pull request or raise an issue. Contributions are welcome.
This repository is for educational purposes only. See LICENSE for details.
Made with β€οΈ by Hassan Ansari β Teaching ethical hacking, one lab at a time.