DVAA
Damn Vulnerable AI Agent. An intentionally vulnerable agent for security training.
DVAA is intentionally insecure. Run it only in isolated environments. Never expose it to production networks.
DVAA is a purpose-built AI agent that contains real, exploitable vulnerabilities across every major AI agent attack category. It is designed for security practitioners, red teamers, and developers who want hands-on experience finding and exploiting AI agent weaknesses in a safe, controlled environment. Think of it as the AI agent equivalent of DVWA (Damn Vulnerable Web Application) -- a training ground where breaking things is the intended outcome.
Each exercise in DVAA maps to a real-world vulnerability pattern observed in production AI agents. The agent exposes an HTTP API and a web UI, making it compatible with both manual testing and automated scanning tools like HackMyAgent.
Quick Start
# Pull from Docker Hub docker pull opena2a/dvaa:latest # Run the vulnerable agent docker run -p 3000:3000 opena2a/dvaa:latest # Open in browser open http://localhost:3000
Alternatively, build and run from source using Docker Compose:
git clone https://github.com/opena2a-org/damn-vulnerable-ai-agent cd damn-vulnerable-ai-agent docker compose up
Training Exercises
DVAA includes exercises covering the most common AI agent vulnerabilities. Each exercise provides a description of the vulnerability, hints for exploitation, and a difficulty rating:
Prompt Injection
Exploit system prompt vulnerabilities to override agent behavior. Includes both direct and indirect injection vectors.
Tool Misuse
Trick the agent into using tools in unintended ways, such as reading arbitrary files or executing commands.
Data Exfiltration
Extract sensitive data through agent responses, tool outputs, and side channels.
Privilege Escalation
Gain access to restricted capabilities and admin functions by manipulating the agent context.
Credential Theft
Find and exploit hardcoded credentials in agent configurations and environment variables.
Supply Chain
Exploit dependency confusion and MCP server trust relationships to inject malicious tool responses.
Available Scenarios
Beyond the core exercise categories, DVAA ships with specific scenario configurations that simulate real-world attack surfaces:
- Multi-turn prompt injection -- the attacker builds context over multiple messages before triggering the exploit
- Indirect injection via tool output -- malicious instructions embedded in data returned by external tools
- Token exhaustion -- denial-of-service via crafted inputs that consume the agent's context window
- MCP server spoofing -- a rogue tool server that returns poisoned responses to the agent
- Excessive agency -- the agent performs destructive actions (file deletion, API calls) without confirmation
Using with HackMyAgent
DVAA is the recommended target for learning HackMyAgent. Start DVAA in one terminal, then run automated scans against it to see how vulnerabilities are detected and reported:
# Start DVAA docker run -p 3000:3000 opena2a/dvaa:latest # Scan with HackMyAgent opena2a scan http://localhost:3000 --attack # Run the full OASB benchmark against DVAA opena2a benchmark http://localhost:3000
Compare your manual findings with the automated scan results to understand detection coverage and identify gaps in tooling.
Environment Variables
DVAA accepts optional environment variables to configure which exercises are enabled:
# Enable all exercises (default) docker run -e DVAA_EXERCISES=all -p 3000:3000 opena2a/dvaa:latest # Enable only prompt injection exercises docker run -e DVAA_EXERCISES=prompt-injection -p 3000:3000 opena2a/dvaa:latest # Set difficulty level docker run -e DVAA_DIFFICULTY=hard -p 3000:3000 opena2a/dvaa:latest