Xtreme Vulnerable Web Application (XVWA) - Practice Hacking Attacks

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose. How you use these skills and knowledge base is not our responsibility.

XVWA is designed to understand following security issues.
  • SQL Injection – Error Based
  • SQL Injection – Blind
  • OS Command Injection
  • XPATH Injection
  • Unrestricted File Upload
  • Reflected Cross Site Scripting
  • Stored Cross Site Scripting
  • DOM Based Cross Site Scripting
  • Server Side Request Forgery (Cross Site Port Attacks)
  • File Inclusion
  • Session Issues
  • Insecure Direct Object Reference
  • Missing Functional Level Access Control
  • Cross Site Request Forgery (CSRF)
  • Cryptography
  • Unvalidated Redirect & Forwards
  • Server Side Template Injection
Good Luck and Happy Hacking!

Do not host this application on live or production environment. XVWA is totally vulnerable application and giving online/live access of this application could lead to complete compromise of your system. We are not responsible for any such bad incidents. Stay safe ! 


XVWA is hassle-free to setup. You can set this up on windows, linux or Mac. Following are the basic steps you should be doing on your Apache-PHP-MYSQL environment to get this working. Let that be WAMP, XAMP or anything you prefer to use.

Copy the xvwa folder in your web directory. Make sure the directory name remains xvwa itself.

Make necessary changes in xvwa/config.php for database connection. Example below:

$XVWA_WEBROOT = ''; $host = "localhost"; $dbname = 'xvwa'; $user = 'root'; $pass = 'root';
Make following changes in PHP configuration file

file_uploads = on allow_url_fopen = on allow_url_include = on

Access the application on : http://localhost/xvwa/
Setup the database and table by accessing http://localhost/xvwa/setup/
The login details

admin:admin xvwa:xvwa user:vulnerable

Download and read more here 
Xtreme Vulnerable Web Application (XVWA) - Practice Hacking Attacks Reviewed by Ethical Hacking on 6:35 AM Rating: 5

No comments:

Feel free to ask questions, we love to respond.

All Rights Reserved by The World of IT & Cyber Security: © 2014 - 2015
Powered By Blogger, Designed by Sweetheme

Contact Form


Email *

Message *

Powered by Blogger.