Damn Vulnerable Web App DVWA testing with ZAP on Kali

Page content

How to Set Up and Test the Damn Vulnerable Web App (DVWA) Using OWASP ZAP and Docker

Web application security is of paramount importance today, with cyber threats becoming more sophisticated. If you’re a web developer, security professional, or a student keen on learning about web application security, this blog post is tailor-made for you. Today, we will guide you through a comprehensive walkthrough on setting up the Damn Vulnerable Web App (DVWA) using OWASP ZAP and Docker, based on a YouTube video tutorial.

Introduction to DVWA

The Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application intentionally designed to be insecure. The primary objectives of DVWA include:

  • Assisting security professionals to legally hone their skills and test their tools.
  • Aiding web developers in grasping the intricacies of securing web applications.
  • Serving as an effective educational tool for teachers and students in a classroom setting.


Before diving into the setup, ensure you have the Kali Virtual Machine, which can be downloaded from Offensive Security’s website.

Step-by-step Installation and Testing Process

  1. Update Kali:
sudo apt update && sudo apt upgrade -y
  1. Install Chrome:
    • Download the Chrome .deb file from this link.
    • Install using the command:
sudo apt install ./google-chrome-stable_current_amd64.deb && sudo apt --fix-broken install
  1. Verify Java Installation:
java -version
  1. Install OWASP ZAP:
sudo apt update && sudo apt install zaproxy -y
  • After installation, verify it by running ZAP.
  1. Install Docker:
sudo apt update && sudo apt install -y docker.io
sudo systemctl enable docker --now
sudo usermod -aG docker $USER
  • Logout and log back in for the changes to take effect.
  1. Download DVWA Docker Image:
docker pull vulnerables/web-dvwa
  1. Run the DVWA Container:
docker run --rm -it -p 80:80 vulnerables/web-dvwa
  1. Access DVWA:

    • Open a web browser and navigate to localhost to access DVWA. Follow the setup process.
  2. Configure ZAP for DVWA:

    • Set up the authentication script, context, and users.
    • Make sure to update the URL based on your specific environment.
  3. Execute Scans on DVWA Site:

  • Start with a spider scan followed by an active scan.


Remember, this guide and the associated video tutorial are strictly for educational and research purposes. The misuse of this information may result in criminal prosecution. We strongly discourage any illegal activities and do not endorse or promote them.

By following this guide, you’re taking a step forward in understanding the nuances of web application security. Happy learning!