Get Started
- 1. AI Risk Assessment 101
- 2. Write a Clear AI Safety Report
- 3. How to Build Your Reputation as an AI Safety Researcher on AIRTA Systems
- 4. Don't Cause Harm
- 5. DVAIA - Damn Vulnerable AI ApplicationCurrent
- 6. How Invitations and Team Access Work
- 7. Understanding Program Safety Tiers
- 8. Risk Categories
- 9. Safe Harbour on AIRTA Systems
- 10. Black Box Testing
DVAIA - Damn Vulnerable AI Application
Feb 23, 2026
DVAIA (Damn Vulnerable AI Application) is an open-source educational platform designed for LLM red team training and security testing. Inspired by DVWA (Damn Vulnerable Web Application), it provides a hands-on web interface to explore AI vulnerabilities and attack vectors in a safe, local environment.
Repository: github.com/airtasystems/DVAIA-Damn-Vulnerable-AI-Application
What is DVAIA?
- Web UI for manual exploration of LLM vulnerabilities
- Runs on
http://127.0.0.1:5000(Flask app) - Uses Ollama local models (no external API dependencies; private and cost-free)
- Educational platform for understanding LLM attack vectors
- Covers LLM testing, RAG testing, multimodal testing, agent testing, and payload generation
7 interactive attack panels
Each panel is vulnerable by design for learning:
- Direct Injection: Standard prompt injection, role-play jailbreaks, privilege escalation; advanced sampling controls (Temperature, Top K, Top P).
- Document Injection: Upload malicious files (PDF, DOCX, CSV, or images with OCR) containing hidden instructions to manipulate model output via document context.
- Web Injection: SSRF and indirect prompt injection by fetching malicious web pages (including a built-in
/evil/route) without allowlists. - RAG Poisoning: Inject malicious chunks into the vector database (Qdrant); poisoned context manipulates the LLM when queried.
- Template Injection: Server-Side Template Injection (SSTI)–style breakout of prompt templates using unescaped user input.
- Payloads Generation: Built-in utility to generate malicious test assets (e.g. text files or PDFs with hidden payloads) for use in Document Injection.
- Agentic Testing: ReAct-style agent with intentionally vulnerable SQLite-backed tools (e.g. deleting documents, accessing internal config). Chain-of-Thought visibility with "thinking" models to observe how the AI reasons through malicious tool-use requests.
Tech stack & deployment
- Frameworks: Python, Flask (web UI), LangChain (LLM orchestration)
- AI & data: Ollama (local LLMs and embeddings), Qdrant (vector DB for RAG)
- Deployment: Docker Compose or local Python virtual environment
Primary use cases
- Learning & education: Understanding prompt injection, data exfiltration, and tool misuse
- Payload development: Generating and testing malicious assets
- Attack chaining: Combining vectors (e.g. RAG poisoning + template injection)
- Model comparison: Testing how different local models handle the same jailbreaks or malicious contexts
DVAIA is intended strictly for authorized security testing and educational purposes.
Next Article
Continue reading in this category