How to Install DVWA on Windows Using XAMPP

If you’re interested in learning about web application vulnerabilities, Damn Vulnerable Web Application (DVWA) is a great tool. It’s a PHP/MySQL web app designed for security professionals and enthusiasts to practice penetration testing in a controlled environment. This guide will walk you through the process of installing DVWA on Windows using XAMPP.

Step 1: Download and Install XAMPP on Windows

The first step is to install a local server environment on your Windows machine. XAMPP is an easy-to-use Apache distribution that includes MySQL, PHP, and Perl.

Visit the official XAMPP website.
Download the Windows installer.
Run the installer and follow the on-screen instructions to complete the installation.
Once installed, open the XAMPP Control Panel.
Start the Apache and MySQL services.

Step 2: Download and Extract DVWA

Next, you need to download DVWA from GitHub.

Go to the DVWA GitHub page.
Click on the Code button and download the ZIP file.
Extract the downloaded file.
Inside the extracted folder, locate the DVWA-master directory.
Copy the entire DVWA-master folder.

Step 3: Move DVWA to the XAMPP Directory

After extracting DVWA:

Navigate to the XAMPP installation directory, usually located at:

C:\xampp\htdocs

Paste the copied DVWA-master folder inside the htdocs directory.

This makes the application accessible through your localhost.

Step 4: Access DVWA Through Localhost

With XAMPP running, open your browser and go to:

http://localhost/DVWA-master/

You’ll likely see an error message:

Step 5: Configure the DVWA Settings File

To fix the above error:

Go to:

C:\xampp\htdocs\DVWA-master\config

Copy the file named config.inc.php.dist.
Paste it in the same directory and rename it to config.inc.php.

Now try accessing:

http://localhost/DVWA-master/login.php

You may see another error like this:

Step 6: Fix Database Access Error

This error is due to incorrect database credentials in the config file.

Open the config.inc.php file with a text editor.
Find the following lines:

$_DVWA[ 'db_user' ] = 'dvwa';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';

Replace them with:

$_DVWA[ 'db_user' ] = 'root';
$_DVWA[ 'db_password' ] = '';

Save the file.

If the database doesn’t exist yet, open phpMyAdmin by visiting:

http://localhost/phpmyadmin

Create a new database named dvwa.

Step 7: Final Setup and Login

Go back to:

http://localhost/DVWA-master/login.php

This time, the login page should load successfully. Use the default credentials:

Username: admin
Password: password

To initialize or reset the DVWA database, go to:

http://localhost/DVWA-master/setup.php

How-to-Install-DVWA-on-Windows-Using-XAMPP-12

Click on the “Create/Reset Database” button.

Step 8: Start Testing Vulnerabilities

Now your DVWA installation is complete. From the left-hand menu, you can explore various web vulnerabilities such as:

How-to-Install-DVWA-on-Windows-Using-XAMPP-13

You can also adjust the security level of the DVWA application using the DVWA Security setting on the left sidebar. Options include Low, Medium, and High, which simulate different security configurations.

Conclusion

Setting up DVWA on Windows using XAMPP is a straightforward process that allows cybersecurity students and professionals to safely experiment with common web application vulnerabilities. By following the steps outlined above, you can begin your journey into ethical hacking and penetration testing within a secure local environment.

For best practices, ensure DVWA is used only in isolated test environments and never deployed on live servers. Happy testing and stay ethical!