Web Penetration Testing Lab setup using XVWA

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in a local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community is possibly the easiest and fundamental way. Learn and acquire these skills for a good purpose.

XVWA is designed to understand the following security issues.

  • SQL Injection – Error Based
  • SQL Injection – Blind
  • OS Command Injection
  • XPATH Injection
  • Formula Injection
  • PHP Object Injection
  • Unrestricted File Upload
  • Reflected Cross-Site Scripting
  • Stored Cross-Site Scripting
  • DOM Based Cross Site Scripting
  • Server-Side Request Forgery (Cross Site Port Attacks)
  • File Inclusion
  • Session Issues
  • Insecure Direct Object Reference
  • Missing Functional Level Access Control
  • Cross-Site Request Forgery (CSRF)
  • Cryptography
  • Unvalidated Redirect & Forwards
  • Server Side Template Injection

The configuration of XVWA lab on windows is totally the same as BWAPP. I am using xampp so let’s configure this lab under xampp server, firstly download xvwa from here

Now Extract XVWA lab set up in the location” C:\xampp\htdocs\” as is shown below and change the name of the folder as xvwa.

Open folder xvwa to access its config file. Then open the php file” config” for configuration of xvwa to make it run on a localhost server.

Here you need to make several changes in given below screenshot of the config file.

Remove “/var/www/html” from XVWA_WEBROOT; remove “xvwa” under dbname; replace “localhost” from “” then save the php file without changing its name at the same location. Get more help from a given screenshot of “config” after making above changes.

Next open php configuration setting file please look over image given below

Make several changes again by editing on for all three settings.

Now time to run XVWA on the browser; type URL: and you’ll get this kind of web page of xvwa which consist of many attacks

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *