How to configure DVWA on windows system 💻

TheBitDoodler's Byte
4 min readNov 11, 2020

Hey folks 🙋

In this article I will be sharing how to set up a lab on your windows system using DVWA(Damn Vulnerable Web Application) for practicing OWASP Top 10 attacks. IKR , this is very basics but my motto is to cover this topic as an article because I have encountered with a lot of infosec enthusiasts who messed up few things while configuring.

Let’s Bring it on …

First let’s have a look what you need to be installed on your machine :

Now my I assuming that you’ve installed the XAMPP is already installed , up and running 🏃

Now it’s time to unzip the zip file of dvwa which you have downloaded.

Zipped DVWA

Now Extract the zip file by right clicking on the file then choosing extract all option.

Now you have to open XAMPP server and need to click on the Explorer button :

Now go to the “htdocs” folder then paste the extracted DVWA folder but after renaming it as follows :

Now go inside the dvwa folder then you will find config folder. Open it 📂 . Inside that folder there will be a file named “”.

We have to rename it to only “”. Then this will be a PHP formated file as follows :

Now we need have to open this php file in a notepad:

  • Step 1:
  • Step 2 :
  • Step 3 : Select the Notepad from the options then file will open.

Now we have to change two filed in the file :

First we have to erase the password filed to null and in ‘db_user’ filed we have to replace dvwa to root . Like this :

Now it’s time to open start two services Apache server and MySQL database from the XAMPP server.

Now we have to open browser and need to type the url in the bar

There you see a page like the below :

Now you need to scroll down to the bottom you will find a button name “Create /Reset Database”. Just click it.

After clicking wait for few seconds then you will this login screen :

Now you will be able to login using the default username : admin and password : password.

Happy Learning 😋

If you still be having any issues then I am a ping away.

Twitter :