Web Penetration Testing Lab setup using XVWA

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose.

XVWA is designed to understand following security issues.

  • SQL Injection – Error Based
  • SQL Injection – Blind
  • OS Command Injection
  • XPATH Injection
  • Formula Injection
  • PHP Object Injection
  • Unrestricted File Upload
  • Reflected Cross Site Scripting
  • Stored Cross Site Scripting
  • DOM Based Cross Site Scripting
  • Server Side Request Forgery (Cross Site Port Attacks)
  • File Inclusion
  • Session Issues
  • Insecure Direct Object Reference
  • Missing Functional Level Access Control
  • Cross Site Request Forgery (CSRF)
  • Cryptography
  • Unvalidated Redirect & Forwards
  • Server Side Template Injection

Configuration of XVWA lab on windows is totally same as BWAPP . I am using xamp so let’s configure this lab under xampp server, firstly download xvwa from here

Now Extract XVWA lab setup in the location” C:\xampp\htdocs\” as is shown below and change the name of folder as xvwa.

Open folder xvwa to access its config file. Then open the php file” config” for configuration of xvwa to make it run on localhost server.

Here you need to make several changes in given below screenshot of config file.

Remove “/var/www/html” from XVWA_WEBROOT; remove “xvwa” under dbname; replace “localhost” from “” then save the php file without changing its name at same location. Get more help from given screeshot of “config” after making above changes.

Next open php configuration setting file please look over image given below

Make several changes again by editing on for all three settings.

Now time to run XVWA on browser; type URL: and you’ll get this kind of web page of xvwa which consist of many attacks

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...

Leave a Reply

Your email address will not be published. Required fields are marked *