Home /
EH ToolsWeb Security

Xtreme Vulnerable Web Application (XVWA) – Practice Hacking Attacks

By Ehacking Staff
XVWA is a badly coded web application written in PHP/MySQL that helps
security enthusiasts to learn application security. It’s not advisable
to host this application online as it is designed to be “Xtremely
Vulnerable”. We recommend hosting this application in local/controlled
environment and sharpening your application security ninja skills with
any tools of your own choice. It’s totally legal to break or hack into
this. The idea is to evangelize web application security to the
community in possibly the easiest and fundamental way. Learn and acquire
these skills for good purpose. How you use these skills and knowledge
base is not our responsibility.

XVWA is designed to understand following security issues.

  • SQL Injection – Error Based
  • SQL Injection – Blind
  • OS Command Injection
  • XPATH Injection
  • Unrestricted File Upload
  • Reflected Cross Site Scripting
  • Stored Cross Site Scripting
  • DOM Based Cross Site Scripting
  • Server Side Request Forgery (Cross Site Port Attacks)
  • File Inclusion
  • Session Issues
  • Insecure Direct Object Reference
  • Missing Functional Level Access Control
  • Cross Site Request Forgery (CSRF)
  • Cryptography
  • Unvalidated Redirect & Forwards
  • Server Side Template Injection

Good Luck and Happy Hacking!

Do not host this application on live or production environment. XVWA is
totally vulnerable application and giving online/live access of this
application could lead to complete compromise of your system. We are not
responsible for any such bad incidents. Stay safe ! 

Instruction

XVWA is hassle-free to setup. You can set this up on windows, linux
or Mac. Following are the basic steps you should be doing on your
Apache-PHP-MYSQL environment to get this working. Let that be WAMP,
XAMP or anything you prefer to use.

Copy the xvwa folder in your web directory. Make sure the directory name remains xvwa itself.

Make necessary changes in xvwa/config.php for database connection. Example below:

$XVWA_WEBROOT = ”;
$host = “localhost”;
$dbname = ‘xvwa’;
$user = ‘root’;
$pass = ‘root’;

Make following changes in PHP configuration file

file_uploads = on
allow_url_fopen = on
allow_url_include = on

Access the application on : http://localhost/xvwa/

Setup the database and table by accessing http://localhost/xvwa/setup/

The login details

admin:admin
xvwa:xvwa
user:vulnerable

Download and read more here 

Previous articleBrolux : A Chinese Trojan Targeting Online Banking Users
Next articleU.S and China on the verge of Cyber War
Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

RELATED ARTICLES

Dusk

Sunset: Dusk VM walkthrough

Ehacking Staff - 0
Sunset: dusk is a vulnerable by design Debian based machine created by whitecrOwz. It is available on https://www.vulnhub.com This machine is ranked as a beginner...
Read more
EH Tools

How To Find Hidden Web Directories Using Dirsearch

Irfan Shakeel - 0
When a security analyst performing website penetration testing the initial step should be finding hidden directories of a vulnerable website. These hidden web directories are...
Read more
Server Security

Considering Security in a Shared Workspace

Ehacking Staff - 0
Considering Security in a Shared Workspace It’s fair to say at this point that shared workspaces (or coworking spaces, as they’re also called) represent a...
Read more

Most Popular

How to Install Kali Linux on VirtualBox [Windows Host] in 2020

Kali Linux Irfan Shakeel - 0
Kali Linux is a Debian based Linux distribution, released on the 13th March 2013 as a complete rebuild of BackTrack Linux. It is one of...
Read more

Acunetix v13 Release Introduces Groundbreaking Innovations

Cyber Security Ehacking Staff - 0
The newest release of the Acunetix Web Vulnerability Scanner further improves performance and premieres best-of-breed technologies London, United Kingdom – February 5, 2019 – Acunetix,...
Read more

What is Ethical Hacking, how to be an Ethical Hacker

Ethical Hacking Ehacking Staff - 0
Hacking is the process of discovering vulnerabilities in a system and using these found vulnerabilities by gaining unauthorized access into the system to perform...
Read more

Basic steps to ensure security Online!

Cyber Security Ehacking Staff - 0
Security concerns are growing day by day due to the growing interconnectivity and technology. Drastic things can happen if you be a little careless...
Read more
Load more

ABOUT US

Secure technology infrastructure through quality education Create future Information & Cyber security professionals Education for everyone, everywhere

POPULAR POSTS

How to Install Kali Linux on VirtualBox [Windows Host] in 2020

Kali Linux Irfan Shakeel - 0
Kali Linux is a Debian based Linux distribution, released on the 13th March 2013 as a complete rebuild of BackTrack Linux. It is one of...
Read more

Acunetix v13 Release Introduces Groundbreaking Innovations

Cyber Security Ehacking Staff - 0
The newest release of the Acunetix Web Vulnerability Scanner further improves performance and premieres best-of-breed technologies London, United Kingdom – February 5, 2019 – Acunetix,...
Read more

What is Ethical Hacking, how to be an Ethical Hacker

Ethical Hacking Ehacking Staff - 0
Hacking is the process of discovering vulnerabilities in a system and using these found vulnerabilities by gaining unauthorized access into the system to perform...
Read more

FOLLOW US

All Rights Reserved by The World of IT & Cyber Security: ehacking.net © 2019 - 2020