DVWA – It stands for Damn Vulnerable Web App. It is based on PHP and runs on MySQL database server, which is indeed damn vulnerable. It has three levels of security: Low, Medium, and High. Each level of security demands different skills. Developers have decided to share its source code, too, so that security researchers can see what is going on at the backend.
DVWA has vulnerabilities like XSS, CSRF, SQL injection, file injection, upload flaws and more, which is great for researchers to learn and help others learn about these flaws. Researchers can also use their various tools to capture packets, brute force, and other such tactics on DVWA.
One should try to exploit this application completely. You can easily reset database if you want to start it over again. You can simply download DVWA from DVWA-master.