Damn Vulnerable Web App DVWA testing with ZAP on Windows

Page content

Testing Damn Vulnerable Web App (DVWA) with OWASP ZAP on Windows

Cybersecurity threats are always evolving, making it vital for developers and security professionals to be updated with the latest tools and techniques. This guide introduces you to using OWASP ZAP for testing the Damn Vulnerable Web App (DVWA) on a Windows 11 environment.

Introduction to DVWA

The Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application intentionally designed with vulnerabilities. It serves multiple purposes:

  • Enables security professionals to legally practice and test their skills.
  • Assists web developers in understanding the intricacies of web application security.
  • Acts as an educational platform for both teachers and students in classroom settings.

Getting Started

First and foremost, set up a Windows 11 Virtual Machine. Next, download the essential software:

Step-by-step Installation and Testing Process

  1. Install Java Runtime Environment (JRE)
    • After installation, verify it by executing:
java -version
  1. Install OWASP ZAP

    • Post-installation, run ZAP to ensure it’s correctly set up.
  2. Install Docker Desktop

    • Installation will necessitate a system restart. After rebooting, accept the license agreement and execute the WSL2 update.
  3. Update WSL2 Kernel

wsl --update

Make sure to run the command in a terminal with administrative privileges.

  1. Download DVWA Docker Image
    • Execute the following command:
docker pull vulnerables/web-dvwa

Alternatively, you can use the Docker Desktop GUI for this step.

  1. Initiate the DVWA Container
docker run --rm -it -p 80:80 vulnerables/web-dvwa

Again, the Docker Desktop GUI is an alternative method.

  1. Set up ZAP for DVWA

    • Configure the authentication script, context, and user settings.
    • Adjust the URL based on your particular setup.
  2. Initiate Scans on DVWA

    • Start with a spider scan and follow up with an active scan.


This guide, including any linked resources, is purely for educational and research purposes. Unauthorized use of this information may result in legal consequences. Promoting or engaging in illegal activities is not endorsed.

Stay safe and ensure that your knowledge benefits the community positively!