dvws-node
Damn Vulnerable Web Services: vulnerable application with a web service and API for learning API/web service vulnerabilities. Covers IDOR, access control, mass assignment, XSS, NoSQL/SQL injection, SSRF, JWT brute force, CORS, XXE, command/XPATH injection, GraphQL issues, CSRF, rate-limit bypass, and more. Replacement for original DVWS.
Collections offline container
Technology Web Services Node.js MongoDB MySQL OpenAPI Swagger
Categories Free-form Single-player
Author @snoopysecurity
Stars 
Last contribution Mar 29, 2026 < 6mo
Notes
Node 20+; MongoDB on 27017, MySQL on 3306. Manual: npm install --build-from-source, node startup_script.js, sudo npm start (port 80 or set in .env). Docker: docker-compose up. Add dvws.local to /etc/hosts for Swagger. Solutions on wiki.