Damn Vulnerable Web Application v1.10 Virtual Machine

The latest binary release for Damn Vulnerable Web Application is an ISO of the 1.0.7 version. It was released almost ten years ago in 2010. And the way to install a newer version is quite a lengthy process, so I decided to release this virtual machine with everything already set up.

EDIT 01-03-2023: The download links have been removed because new releases have been made since then. Last release at the time of writing is in 2020. See the latest releases here.

Download the OVA file here.

Alternatively, this link may work better.


  • MD5: 0e498c31feb2cb6ecbcd90339bb20e24
  • SHA1: 58721ab768eb402e807e74aa77b8f5e54469e60f
  • SHA256: e070dd065159df0e3e1ea7a3d24a1df1b207b084a909a3d8d7b65333e088490e


It has been set up with the commit 1d4136af7846c3ddab8676abdfdf9bf02185121f (browse on GitHub), which corresponds to the v1.10 *Development* release.

This VM was made and tested on VMware Fusion. But it should work in VMware Workstation and probably any other virtualisation application that adheres to the OVA format. It uses DHCP to grab its own IP.

If for any reason you need to log into it and tweak it, the credentials are:

  • Username: dvwa
  • Password: l1cafe.blog

… But you’re supposed to gain access through its webpage. Use this only if you need to set up a different IP Address.

It’s based on Ubuntu Server 18.04.3 LTS, and has been updated with the latest available packages at the time of release.

Happy hacking!