{"id":16682456,"url":"https://github.com/sagikazarmark/docker-dvwa","last_synced_at":"2026-02-24T01:07:59.960Z","repository":{"id":72822429,"uuid":"85501044","full_name":"sagikazarmark/docker-dvwa","owner":"sagikazarmark","description":"Dockerized version of DVWA","archived":false,"fork":false,"pushed_at":"2017-03-20T08:31:42.000Z","size":17,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-11-08T18:02:43.910Z","etag":null,"topics":["docker","dvwa","ethical-hacking","security","security-vulnerability"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/sagikazarmark/dvwa/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sagikazarmark.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-03-19T19:02:05.000Z","updated_at":"2023-04-27T06:30:57.000Z","dependencies_parsed_at":null,"dependency_job_id":"86a0d850-2fd5-411e-860c-2d880b8ec1e4","html_url":"https://github.com/sagikazarmark/docker-dvwa","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/sagikazarmark/docker-dvwa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sagikazarmark%2Fdocker-dvwa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sagikazarmark%2Fdocker-dvwa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sagikazarmark%2Fdocker-dvwa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sagikazarmark%2Fdocker-dvwa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sagikazarmark","download_url":"https://codeload.github.com/sagikazarmark/docker-dvwa/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sagikazarmark%2Fdocker-dvwa/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29765743,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-23T21:02:23.375Z","status":"ssl_error","status_checked_at":"2026-02-23T20:58:31.539Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","dvwa","ethical-hacking","security","security-vulnerability"],"created_at":"2024-10-12T14:07:34.418Z","updated_at":"2026-02-24T01:07:59.945Z","avatar_url":"https://github.com/sagikazarmark.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DVWA Docker image\n\nThis Docker image contains [DVWA](http://dvwa.co.uk/) which is a \"web application that is damn vulnerable\".\nIt's purpose is to demonstrate the most common web related vulnerabilities.\n\n\n## Disclaimer\n\nSince it includes SERIOUS ones, it's highly unrecommended to put it anywhere close to a production system.\n(You have been warned)\n\nTo even more lower the risks when running it on your own computer, it is recommended to isolate it.\nA Docker image or a VM should be fine, but no warranties.\n\nRead the original [DVWA disclaimer](https://github.com/ethicalhack3r/DVWA#disclaimer) as well!\n\n\n## Usage\n\nFirst of all pull the image from Docker Hub:\n\n``` bash\n$ docker pull sagikazarmark/dvwa\n```\n\nThen start it with the following command:\n\n``` bash\n$ docker run --rm -it -p 8080:80 sagikazarmark/dvwa\n```\n\n(Note: `-it` is required so that you can stop the container with SIGINT)\n\nNow head to `http://localhost:8080` in your browser. Login with `admin` and `password` (hard to guess) credentials.\nYou should see an installation screen with all options green (except captcha, we will get back to that later).\nClick on the **Create / Reset Database** button. When the process is finished,\nclick on the **login** link and login in again. That's it, you are ready for hacking.\n\nWhen you are done with playing don't forget to stop the container!!!\n\n\n## Environment\n\nSince the purpose of this image is to model an average (vulnerable) application, I wanted to keep the environment\nas close to a \"usual\" one as possible. Despite Docker suggests running one process per container,\nthis image is self-contained: it includes a whole LAMP stack.\n\nThe OS of the image is **Debian Jessie**, all softwares are installed from official repositories:\n\n- PHP 5.6.30\n- Apache 2.4.10\n- MySQL 5.5.54\n\nMySQL credentials are configured to be the DVWA defaults:\n\n- User: **root**\n- Password: **p@ssw0rd**\n- Database: **dvwa**\n\nFurther changes:\n\n- `allow_url_include` PHP option is turned `On` (required by DVWA)\n- MySQL `bind_address` option is disabled as well as `root` user is allowed to login from any addresses so that you can access the database from your host computer\n- MySQL `general_log` is turned on (default location: `/var/log/mysql/mysql.log`) so that queries can be monitored\n- MySQL `secure-file-priv` is turned off to allow SQLi OS Shell hacks\n- `/var/www/html` is world writable to make it even more vulnerable\n- recaptcha is configured in the DVWA configuration to look for `RECAPTCHA_PUBLIC_KEY` and `RECAPTCHA_PRIVATE_KEY` environment variables\n\n\n## Tips\n\n\n### Start as daemon\n\nThis is **NOT** recommended as you might forget to stop the container (like I do all the times),\nbut it can be useful if you don't want the container to consume your shell.\nYou can start the container as a daemon by replacing `--rm` with `-d`:\n\n``` bash\n$ docker run -d -p 8080:80 sagikazarmark/dvwa\n```\n\nYou might also want to give it a name, so that you can refer to it easily (instead of it's generated name or ID):\n\n``` bash\n$ docker run -d --name dvwa -p 8080:80 sagikazarmark/dvwa\n```\n\nWhen you are done, please **STOP** the container (or even delete it):\n\n``` bash\n$ docker stop dvwa\n$ docker delete dvwa\n```\n\n\n### Expose MySQL to the host\n\nThe MySQL server running in the container can be exposed to the host so that you can access the database itself.\nAll you need to do is adding `-p 3336:3306` to the Docker run command,\nwhere `3336` is the port which you can connect to on your `localhost`:\n\n``` bash\n$ docker run --rm -it -p 8080:80 -p 3336:3306 sagikazarmark/dvwa\n```\n\nAfter that you can easily connect to the MySQL server:\n\n``` bash\n$ mysql -h 127.0.0.1 -P 3336 -u root -pp@ssw0rd\n```\n\nOr you can easily monitor the server with `mytop`:\n\n``` bash\n$ mytop --password=\"p@ssw0rd\" --port=3346 --database=\"dvwa\" --host=\"127.0.0.1\"\n```\n\n\n### Recaptcha\n\nSince recaptcha requires registration, I couldn't build it into the image.\nIf you need it, head to `https://www.google.com/recaptcha/admin/create` and register a key.\n\nAfter that start the container with the following parameters:\n\n``` bash\n$ docker run -d --name dvwa -p 8080:80 -e RECAPTCHA_PUBLIC_KEY=YOUR_KEY -e RECAPTCHA_PRIVATE_KEY=YOUR_KEY sagikazarmark/dvwa\n```\n\n\n### Check logs with lnav\n\n[lnav](http://lnav.org) is an extremely powerful log analyzer and can easily become the developer's best friend.\nIt allows you to filter/search/highlight or save logs in the console. It knows all kinds of log formats including\nApache log and it can even highlight SQL queries, which makes it a perfect tool for us.\n\nThere are two kinds of logs which might be useful in the current scenario:\n\n- Apache access and error logs\n- MySQL error and general query logs\n\nFortunately the container automatically tails the Apache logs to the STDOUT, so we can use the built-in Docker logging:\n\n``` bash\n$ docker logs -f dvwa | lnav\n```\n\nWe are mostly interested in access logs for the vulnerability pages, so start with filtering out all non-relevant log entries.\nType the following (or at least the colon, you can copy-paste the rest):\n\n`:filter-in GET /vulnerabilities`\n\nIt can also be useful to search for and highlight certain parts of the log (for example the posted form in case of SQLi).\nFor that you can either use the highlight command or the search function (let's use this one).\nAs in the previous case, you need to type the slash, but you can copy-paste the rest:\n\n`/(?\u003c=id=)(.*)(?=\u0026Submit=Submit HTTP)`\n\nThis will highlight the contents of the `id` field sent as a query parameter.\n\nSticking to the SQLi example, observing the injected code itself can be useful, but sometimes it's better to\nexamine the executed SQL query itself. Unfortunately the MySQL query log is not tailed into the container's STDOUT,\nbut all is not lost, we can still use lnav and a bit of hack:\n\n``` bash\n$ docker exec dvwa sh -c \"tail -f /var/log/mysql/mysql.log\" | lnav\n```\n\nThe general log contains all kinds of queries, let's take a look at the `SELECT` ones, filter them:\n\n`:filter-in SELECT`\n\nYou can always go back to the unfiltered state with the `Ctrl+R` keystroke.\n\n\n## Why this image? (aka. Do I suffer from the NIH syndrome?)\n\nI usually try to fight against the [Not invented here](https://en.wikipedia.org/wiki/Not_invented_here) syndrome\nand contribute to existing software In this particular case there are already 27 existing Docker images of the\nvery same DVWA, so it's a valid question to ask why I created another one.\n\n\n### Quality and reliability\n\nBesides being a NIH fighter, I am also allergic to low quality. This includes everything from code to documentation.\nAlthough there are not too much code in this case that could be wrong, the existing images are highly underdocumented.\nMy purpose was to provide an image AND a guide with tips, so that it can actually be useful.\n\nLast, but not least: I am not a big fan of running images which does not publish a Dockerfile as well.\n\n\n### Environment\n\nMost of the images either do not provide any information about their environment or use \"special\"\ndockerized LAMP stacks (mostly `tutum/lamp`).\n\nOne of my goals was creating an image as close to \"usual\" production environments as possible.\n\n\n### Size\n\nThe size of the image is around 360 MB which is relatively small compared to the already existing images.\nIt's also small in terms of image layers: it has only 5 layers compared to the most popular image which has 41\n(mostly because of using `tutum/lamp` as a base image).\n\n\n## License\n\nThe MIT License (MIT). Please see [License File](LICENSE) for more information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsagikazarmark%2Fdocker-dvwa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsagikazarmark%2Fdocker-dvwa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsagikazarmark%2Fdocker-dvwa/lists"}